Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Visit ID required for sep data 473 #502

Merged
merged 1 commit into from
Feb 17, 2021
Merged

Visit ID required for sep data 473 #502

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions core/sep_data/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
from rest_framework.exceptions import PermissionDenied
from core.viewsets import ModelViewSet
from core.models import SepData
from core.sep_data.serializers import SepDataSerializer
Expand All @@ -11,3 +12,8 @@ def get_queryset(self):
if visit_id is not None:
queryset = queryset.filter(visit_id=visit_id)
return queryset

def list(self, request, *args, **kwargs):
if 'visit_id' not in self.request.query_params:
raise PermissionDenied('Sep data must be queried by visit id.')
return super().list(request, *args, **kwargs)
12 changes: 6 additions & 6 deletions core/tests/sep_data.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
import json
from django.utils import timezone
from django.urls import reverse
from rest_framework import status
from core.models import SepData
Expand All @@ -18,21 +17,22 @@ class Sep_DataTestCase(BaseTestCase):

def test_get_sep_data_admin_and_ip(self):
"""
Ensure we can get a list of visits as admin and internal provider
Ensure even high permission users cannot access all sep data objects at once.
"""
header1 = self.auth_headers_for_user("admin")
url = reverse("sepdata-list")
res1 = self.client.get(url, format="json", follow=True, **header1)
expected_content = {'detail': 'Sep data must be queried by visit id.'}

self.assertEqual(res1.status_code, status.HTTP_200_OK)
self.assertEqual(SepData.objects.count(), len(json.loads(res1.content)))
self.assertEqual(res1.status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(expected_content, json.loads(res1.content))

header2 = self.auth_headers_for_user("internal_provider")
url = reverse("sepdata-list")
res2 = self.client.get(url, format="json", follow=True, **header2)

self.assertEqual(res2.status_code, status.HTTP_200_OK)
self.assertEqual(SepData.objects.count(), len(json.loads(res2.content)))
self.assertEqual(res2.status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(expected_content, json.loads(res2.content))

def test_get_sep_auth_denial_unauthorized(self):
"""
Expand Down