fixed permission check, added test to make sure it works as it should

TIHLDE · Jan 23, 2025 · f83c0b4 · f83c0b4
1 parent 62bded3
commit f83c0b4
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 10 deletions.
diff --git a/app/payment/models/order.py b/app/payment/models/order.py
@@ -7,9 +7,11 @@
     BasePermissionModel,
     check_has_access,
     is_admin_user,
+    is_index_user,
 )
 from app.content.models.event import Event
 from app.content.models.user import User
+from app.group.models.membership import Membership
 from app.payment.enums import OrderStatus
 from app.util.models import BaseModel
 
@@ -40,12 +42,36 @@ def __str__(self):
         return f"{self.user} - {self.event.title if self.event else ['slettet']} - {self.status} - {self.created_at}"
 
     @classmethod
-    def has_update_permission(cls, request, order):
+    def has_update_permission(cls, request):
         if check_has_access(cls.update_access, request):
             return True
 
-        if order.event and order.event.organizer:
-            return request.user.groups.filter(id=order.event.organizer.id).exists()
+        order_id = request.parser_context.get("kwargs", {}).get("pk")
+        print(f"Order ID: {order_id}")
+
+        if order_id:
+            try:
+                order = Order.objects.get(order_id=order_id)
+                print(f"Order: {order}")
+
+                if order.event.organizer and order.event.organizer.slug:
+                    is_member = Membership.objects.filter(
+                        user=request.user,
+                        group=order.event.organizer,
+                    ).exists()
+
+                    if is_member:
+                        print(
+                            f"User is a member of the organizer group: {order.event.organizer}"
+                        )
+                        return True
+                    else:
+                        print(
+                            f"User is not a member of the organizer group: {order.event.organizer}"
+                        )
+                        return False
+            except Order.DoesNotExist:
+                return False
 
         return False
 

diff --git a/app/payment/views/vipps_util.py b/app/payment/views/vipps_util.py
@@ -2,6 +2,7 @@
 from rest_framework.decorators import api_view
 from rest_framework.response import Response
 
+from app.payment.models import Order
 from app.payment.serializers import CheckPaymentSerializer
 from app.payment.util.payment_utils import get_payment_order_status
 
@@ -24,9 +25,7 @@ def check_vipps_payment(self, request, *args, **kwargs):
             status=status.HTTP_404_NOT_FOUND,
         )
 
-    order = orders.first()
-
-    if not order.has_object_update_permission(request):
+    if not Order.has_update_permission(self.request):
         return Response(
             {"detail": "Du har ikke tilgang til å oppdatere denne ordren."},
             status=status.HTTP_403_FORBIDDEN,

diff --git a/app/tests/payment/test_order_integration.py b/app/tests/payment/test_order_integration.py
@@ -3,7 +3,9 @@
 import pytest
 
 from app.common.enums import AdminGroup
-from app.group.factories import GroupFactory
+from app.common.enums import NativeMembershipType as MembershipType
+from app.content.models import User
+from app.group.factories import GroupFactory, MembershipFactory
 from app.group.models import Group
 from app.payment.enums import OrderStatus
 from app.payment.factories import OrderFactory
@@ -117,14 +119,33 @@ def test_update_order_as_member(member, order):
 
 
 @pytest.mark.django_db
-@pytest.mark.parametrize("group_name", [*AdminGroup.admin()])
+@pytest.mark.parametrize("group_name", [AdminGroup.INDEX])
 def test_update_order_as_admin_user(member, order, group_name):
-    """An index and HS user should not be able to update an order."""
+    """An index user should be able to update an order."""
     add_user_to_group_with_name(member, group_name)
     client = get_api_client(user=member)
     data = {"status": OrderStatus.SALE}
     response = client.put(get_orders_url_detail(order.order_id), data=data)
-    assert response.status_code == status.HTTP_403_FORBIDDEN
+    assert response.status_code == status.HTTP_200_OK
+
+
+@pytest.mark.django_db
+def test_update_order_as_organizer(member, event, order):
+    """Test that members of the organizing group (e.g., SOSIALEN) can update an order."""
+    organizer_group = GroupFactory(name=AdminGroup.SOSIALEN)
+    add_user_to_group_with_name(member, organizer_group.name)
+
+    event.organizer = organizer_group
+    event.save()
+
+    order.event = event
+    order.save()
+
+    data = {"status": OrderStatus.SALE}
+    client = get_api_client(user=member)
+
+    response = client.put(get_orders_url_detail(order.order_id), data=data)
+    assert response.status_code == status.HTTP_200_OK
 
 
 @pytest.mark.django_db