[#49] [GREEN] implemented API for company to browse application by vacancy, and revised some tests

core/tests/test_vacancies.py

@@ -5,8 +5,8 @@ from django.contrib.auth.models import User
 from rest_framework import status
 from rest_framework.test import APITestCase
 
-from core.models.accounts import Company
-from core.models.vacancies import Vacancy
+from core.models.accounts import Company, Student
+from core.models.vacancies import Vacancy, Application
 
 
 class ApplicationTests(APITestCase):
@@ -170,19 +170,115 @@ class VacancyTest(APITestCase):
 
 class CompanyListsTests(APITestCase):
 
-    def test_company_vacancy_list_exist(self):
+    def test_company_vacancy_list(self):
         new_user = User.objects.create_user('dummy.company3', 'dummy.company3@company.com', 'lalala123')
         new_company = Company.objects.create(user=new_user, description="lalala", status=Company.VERIFIED, logo=None, address=None)
 
-        url = '/api/companies/' + str(new_company.pk) + '/vacancies'
-        response = self.client.post(url, format='json')
+        self.client.force_authenticate(new_user)
+
+        url = '/api/companies/' + str(new_company.pk) + '/vacancies/'
+        response = self.client.get(url, format='json')
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
-    def test_company_application_list_exist(self):
+    def test_company_vacancy_list_unauthorized(self):
+        new_user = User.objects.create_user('dummy.company3', 'dummy.company3@company.com', 'lalala123')
+        new_company = Company.objects.create(user=new_user, description="lalala", status=Company.VERIFIED, logo=None, address=None)
+
+        new_user2 = User.objects.create_user('dummy.companyzxc', 'dummy.companyzxc@company.com', 'lalala123')
+        new_company2 = Company.objects.create(user=new_user2, description="lalalaasdsad", status=Company.VERIFIED, logo=None,
+                                             address=None)
+
+        self.client.force_authenticate(new_user2)
+
+        url = '/api/companies/' + str(new_company.pk) + '/vacancies/'
+        response = self.client.get(url, format='json')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_company_application_list(self):
         new_user = User.objects.create_user('dummy.company4', 'dummy.company4@company.com', 'lalala123')
         new_company = Company.objects.create(user=new_user, description="lalala", status=Company.VERIFIED, logo=None,
                                              address=None)
 
-        url = '/api/companies/' + str(new_company.pk) + '/applications'
-        response = self.client.post(url, format='json')
+        self.client.force_authenticate(new_user)
+
+        url = '/api/companies/' + str(new_company.pk) + '/applications/'
+        response = self.client.get(url, format='json')
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+    def test_company_application_list_unauthorized(self):
+        new_user = User.objects.create_user('dummy.company3', 'dummy.company3@company.com', 'lalala123')
+        new_company = Company.objects.create(user=new_user, description="lalala", status=Company.VERIFIED, logo=None,
+                                             address=None)
+
+        new_user2 = User.objects.create_user('dummy.companyzxc', 'dummy.companyzxc@company.com', 'lalala123')
+        new_company2 = Company.objects.create(user=new_user2, description="lalalaasdsad", status=Company.VERIFIED,
+                                              logo=None,
+                                              address=None)
+
+        self.client.force_authenticate(new_user2)
+
+        url = '/api/companies/' + str(new_company.pk) + '/applications/'
+        response = self.client.get(url, format='json')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_company_application_list_by_vacancy(self):
+        new_user = User.objects.create_user('dummy.company3', 'dummy.company3@company.com', 'lalala123')
+        new_company = Company.objects.create(user=new_user, description="lalala", status=Company.VERIFIED, logo=None,
+                                             address=None)
+
+        new_user2 = User.objects.create_user('dummy.company4', 'dummy.company4@company.com', 'lalala123')
+        new_student = Student.objects.create(user=new_user2, npm=1234123412)
+
+        new_vacancy = Vacancy.objects.create(company=new_company, verified=True, open_time=datetime.fromtimestamp(0),
+                                             description="lalala", close_time=datetime.today())
+        new_app = Application.objects.create(student=new_student, vacancy=new_vacancy, cover_letter="asdasdasd")
+
+        self.client.force_authenticate(new_user)
+
+        url = '/api/companies/' + str(new_company.pk) + '/applications/' + str(new_vacancy.pk) + '/by_vacancy/'
+        response = self.client.get(url, format='json')
         self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+    def test_company_application_list_by_vacancy_unauthorized_1(self):
+        new_user = User.objects.create_user('dummy.company3', 'dummy.company3@company.com', 'lalala123')
+        new_company = Company.objects.create(user=new_user, description="lalala", status=Company.VERIFIED, logo=None,
+                                             address=None)
+
+        new_user2 = User.objects.create_user('dummy.student', 'dummy.company3@company.com', 'lalala123')
+        new_student = Student.objects.create(user=new_user2, npm=1234123412)
+
+        new_vacancy = Vacancy.objects.create(company=new_company, verified=True, open_time=datetime.fromtimestamp(0),
+                                             description="lalala", close_time=datetime.today())
+        new_app = Application.objects.create(student=new_student, vacancy=new_vacancy, cover_letter="asdasdasd")
+
+        new_user3 = User.objects.create_user('dummy.company4', 'dummy.company4@company.com', 'lalala123')
+        new_company3 = Company.objects.create(user=new_user3, description="lalala", status=Company.VERIFIED, logo=None,
+                                             address=None)
+
+        self.client.force_authenticate(new_user3)
+
+        url = '/api/companies/' + str(new_company.pk) + '/applications/' + str(new_vacancy.pk) + '/by_vacancy/'
+        response = self.client.get(url, format='json')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_company_application_list_by_vacancy_unauthorized_2(self):
+        new_user = User.objects.create_user('dummy.company3', 'dummy.company3@company.com', 'lalala123')
+        new_company = Company.objects.create(user=new_user, description="lalala", status=Company.VERIFIED, logo=None,
+                                             address=None)
+
+        new_user2 = User.objects.create_user('dummy.student', 'dummy.company3@company.com', 'lalala123')
+        new_student = Student.objects.create(user=new_user2, npm=1234123412)
+
+        new_vacancy = Vacancy.objects.create(company=new_company, verified=True, open_time=datetime.fromtimestamp(0),
+                                             description="lalala", close_time=datetime.today())
+        new_app = Application.objects.create(student=new_student, vacancy=new_vacancy, cover_letter="asdasdasd")
+
+        new_user3 = User.objects.create_user('dummy.company4', 'dummy.company4@company.com', 'lalala123')
+        new_company3 = Company.objects.create(user=new_user3, description="lalala", status=Company.VERIFIED, logo=None,
+                                              address=None)
+
+        self.client.force_authenticate(new_user3)
+
+        url = '/api/companies/' + str(new_company3.pk) + '/applications/' + str(new_vacancy.pk) + '/by_vacancy/'
+        response = self.client.get(url, format='json')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
\ No newline at end of file

core/views/vacancies.py

@@ -108,6 +108,8 @@ class CompanyApplicationViewSet(viewsets.GenericViewSet):
         ---
         """
         company = get_object_or_404(Company.objects.all(), pk=company_id)
+        if not request.user.is_superuser and request.user != company.user:
+            return Response({"error": "forbidden"}, status=status.HTTP_403_FORBIDDEN)
         vacancies = Vacancy.objects.filter(company=company)
         applications = Application.objects.filter(vacancy__in=vacancies)
         if 'status' in request.query_params:
@@ -117,6 +119,23 @@ class CompanyApplicationViewSet(viewsets.GenericViewSet):
             return self.get_paginated_response(ApplicationSerializer(page, many=True, context={'request': request}).data)
         return Response(ApplicationSerializer(applications, many=True, context={'request': request}).data)
 
+    @detail_route(methods=["get"])
+    def by_vacancy(self, request, company_id, pk=None):
+        if pk is None:
+            return list(self, request, company_id)
+        company = get_object_or_404(Company.objects.all().order_by('-updated'), pk=company_id)
+        if not request.user.is_superuser and request.user != company.user:
+            return Response({"error": "forbidden"}, status=status.HTTP_403_FORBIDDEN)
+        vacancy = get_object_or_404(Vacancy.objects.all(), pk=pk)
+        if vacancy.company != company:
+            return Response({"error": "forbidden"}, status=status.HTTP_403_FORBIDDEN)
+        applications = Application.objects.filter(vacancy=vacancy)
+        page = self.paginate_queryset(applications)
+        if page is not None:
+            return self.get_paginated_response(
+                ApplicationSerializer(page, many=True, context={'request': request}).data)
+        return Response(ApplicationSerializer(applications, many=True, context={'request': request}).data)
+
 
 class CompanyApplicationStatusViewSet(viewsets.GenericViewSet):
     queryset = Application.objects.all()
@@ -158,6 +177,8 @@ class CompanyVacanciesViewSet(viewsets.GenericViewSet):
         ---
         """
         company = get_object_or_404(Company.objects.all().order_by('-updated'), pk=company_id)
+        if not request.user.is_superuser and request.user != company.user:
+            return Response({"error": "forbidden"}, status=status.HTTP_403_FORBIDDEN)
         vacancies = Vacancy.objects.filter(company=company)
         page = self.paginate_queryset(vacancies)
         if page is not None: