[#114] Bugfix: comment can be deleted by non-admin

e8b5462a · Dave Nathanael · 7b0a06ae · e8b5462a · e8b5462a
Commit e8b5462a authored Oct 14, 2020 by Dave Nathanael
--- a/app/tests.py
+++ b/app/tests.py
@@ -466,18 +466,43 @@ class DetailMateriTest(TestCase):
        self.assertNotContains(response, "Beri komentar...")
        self.assertContains(response, "Login terlebih dahulu untuk berkomentar")

-    def test_delete_comments_by_admin(self):
-        self.client.login(**self.contributor_credential)
+    def create_and_delete_comment(self, is_admin=False, is_contributor=False):
        url = self.url
+        self.client.login(**self.admin_credential)
        self.client.post(url, {"comment": "This is new comment by Anonymous"})
-        deleteURL = (
-            "/delete/"
-            + str(self.materi1.id)
-            + "/"
-            + str(Comment.objects.get(comment="This is new comment by Anonymous").id)
-        )
-        self.client.get(deleteURL)
-        self.assertEqual(Comment.objects.all().filter(comment="This is new comment by Anonymous").count(), 0)
+        deleteURL = "/delete/" + str(self.materi1.id) + "/" + str(
+            Comment.objects.get(comment="This is new comment by Anonymous").id)
+        if is_admin:
+            self.client.login(**self.admin_credential)
+        if is_contributor:
+            self.client.login(**self.contributor_credential)
+        if not is_admin and not is_contributor:
+            self.client.login(**self.anonymous_credential)
+        response = self.client.get(deleteURL)
+        return response
+
+    def test_delete_comments_by_admin(self):
+        self.create_and_delete_comment(is_admin=True)
+        count = Comment.objects.all().filter(comment="This is new comment by Anonymous").count()
+        self.assertEqual(count, 0)
+
+    def test_delete_comments_by_contributor(self):
+        response = self.create_and_delete_comment(is_contributor=True)
+
+        self.assertRaises(PermissionDenied)
+        self.assertEqual(response.status_code, 403)
+
+        count = Comment.objects.all().filter(comment="This is new comment by Anonymous").count()
+        self.assertEqual(count, 1)
+
+    def test_delete_comments_by_anonymous(self):
+        response = self.create_and_delete_comment()
+
+        self.assertRaises(PermissionDenied)
+        self.assertEqual(response.status_code, 403)
+
+        count = Comment.objects.all().filter(comment="This is new comment by Anonymous").count()
+        self.assertEqual(count, 1)

    def test_tombol_citasiAPA(self):
        response = self.client.get(self.url)

--- a/app/views.py
+++ b/app/views.py
@@ -236,6 +236,8 @@ def toggle_like(request):


 def delete_comment(request, pk_materi, pk_comment):
+    if not request.user.is_authenticated or not request.user.is_admin:
+        raise PermissionDenied(request)
    comment = get_object_or_404(Comment, pk=pk_comment)
    url = "/materi/" + str(pk_materi) + "/"
    comment.delete()