Only the owner should be authorized to alter the status of the pet, t…

…he change_status view should accept only the POST method
jllorencetti · Nov 7, 2016 · 45391ab · 45391ab
1 parent 4c9221c
commit 45391ab
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 9 deletions.
diff --git a/pets/meupet/tests/test_change_status_view.py b/pets/meupet/tests/test_change_status_view.py
@@ -0,0 +1,43 @@
+from django.core.urlresolvers import reverse
+from django.test import TestCase
+
+from model_mommy import mommy
+
+from meupet.models import Pet
+from users.models import OwnerProfile
+
+
+class ChangeStatusViewTest(TestCase):
+    def setUp(self):
+        super(ChangeStatusViewTest, self).setUp()
+
+        self.admin = OwnerProfile.objects.create_user(
+            username='admin',
+            password='admin',
+        )
+        self.pet = mommy.make(Pet, status=Pet.FOR_ADOPTION, owner=self.admin)
+
+    def test_change_status(self):
+        """Updates status of the pet from 'For Adoption' to 'Adopted'"""
+        self.client.login(username='admin', password='admin')
+
+        self.client.post(reverse('meupet:change_status', args=[self.pet.slug]))
+
+        self.pet.refresh_from_db()
+
+        self.assertEqual(Pet.ADOPTED, self.pet.status)
+
+    def test_only_owner_can_update_pet(self):
+        """Only the ownser should be able to change the pet's status"""
+        response = self.client.post(reverse('meupet:change_status', args=[self.pet.slug]))
+
+        self.pet.refresh_from_db()
+
+        self.assertEqual(Pet.FOR_ADOPTION, self.pet.status)
+        self.assertRedirects(response, self.pet.get_absolute_url())
+
+    def test_only_accept_post_method(self):
+        """View should only accept http POST method"""
+        response = self.client.get(reverse('meupet:change_status', args=[self.pet.slug]))
+
+        self.assertEqual(405, response.status_code)
diff --git a/pets/meupet/tests/tests.py b/pets/meupet/tests/tests.py
@@ -307,15 +307,6 @@ def test_show_pet_sex(self):
 
         self.assertContains(response, 'Fêmea')
 
-    def test_change_status_and_show_status_label(self):
-        """Updates status of the pet from 'For Adoption' to 'Adopted'"""
-        pet = self.create_pet(status=Pet.FOR_ADOPTION)
-        self.client.post(reverse('meupet:change_status', args=[pet.slug]))
-
-        response = self.client.get(reverse('meupet:index'))
-
-        self.assertContains(response, '<h2 class="text-center"><span>Adotado! :)</span></h2>')
-
     def test_get_pets_unpublished(self):
         """Manager method should return pets not published on Facebook yet"""
         pet = self.create_pet()

diff --git a/pets/meupet/views.py b/pets/meupet/views.py
@@ -5,6 +5,7 @@
 from django.db.models import Q
 from django.http import HttpResponseRedirect, Http404
 from django.shortcuts import get_object_or_404, render
+from django.views.decorators.http import require_POST
 from django.views.generic import ListView, CreateView, \
     UpdateView, View
 
@@ -132,8 +133,13 @@ def delete_pet(request, slug):
         return HttpResponseRedirect(pet.get_absolute_url())
 
 
+@require_POST
 def change_status(request, slug):
     pet = get_object_or_404(models.Pet, slug=slug)
+
+    if request.user != pet.owner:
+        return HttpResponseRedirect(pet.get_absolute_url())
+
     pet.change_status()
     return HttpResponseRedirect(reverse('meupet:detail', kwargs={'pk_or_slug': pet.slug}))