Merge pull request #1430 from open-zaak/feature/1429-restrict-delete-…

…for-locked-documents restrict delete for locked documents
open-zaak · Aug 14, 2023 · 056c8c9 · 056c8c9
2 parents e7a65e7 + baeb3ca
commit 056c8c9
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 2 deletions.
diff --git a/bin/postman_tests.sh b/bin/postman_tests.sh
@@ -2,7 +2,7 @@
 
 set -x
 
-POSTMAN_TESTS_REF=fb877260d421a4b909fb8b46884174ddd3633b90
+POSTMAN_TESTS_REF=0fb70d0e38d91db1697ca6d4801e039e839579e6
 
 # These client IDs and secrets are dummy variables that are only used by
 # the Docker build in Travis, so they can be public
@@ -31,7 +31,7 @@ until [ "$status" = "200" ]; do
 done
 
 # Download and execute the ZGW postman tests
-wget https://raw.githubusercontent.com/VNG-Realisatie/gemma-postman-tests/$POSTMAN_TESTS_REF/$1 -O $1
+wget https://raw.githubusercontent.com/annashamray/gemma-postman-tests/$POSTMAN_TESTS_REF/$1 -O $1
 
 # Run the tests using the newman library for nodejs
 node bin/newman_tests.js \

diff --git a/src/openzaak/components/documenten/api/viewsets.py b/src/openzaak/components/documenten/api/viewsets.py
@@ -236,6 +236,16 @@ def perform_destroy(self, instance):
                 code="pending-relations",
             )
 
+        if instance.canonical.lock:
+            raise ValidationError(
+                {
+                    api_settings.NON_FIELD_ERRORS_KEY: _(
+                        "Locked objects cannot be destroyed"
+                    )
+                },
+                code="destroy-locked",
+            )
+
         instance.destroy()
 
     @property

diff --git a/src/openzaak/components/documenten/tests/test_enkelvoudiginformatieobject.py b/src/openzaak/components/documenten/tests/test_enkelvoudiginformatieobject.py
@@ -396,6 +396,18 @@ def test_destroy_with_relations_not_allowed(self):
         error = get_validation_errors(response, "nonFieldErrors")
         self.assertEqual(error["code"], "pending-relations")
 
+    def test_destroy_locked_not_allowed(self):
+        eio = EnkelvoudigInformatieObjectFactory.create()
+        url = reverse(eio)
+        self.client.post(f"{url}/lock")
+
+        response = self.client.delete(url)
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        error = get_validation_errors(response, "nonFieldErrors")
+        self.assertEqual(error["code"], "destroy-locked")
+        self.assertTrue(EnkelvoudigInformatieObject.objects.filter(id=eio.id).exists())
+
     def test_validate_unknown_query_params(self):
         EnkelvoudigInformatieObjectFactory.create_batch(2)
         url = reverse(EnkelvoudigInformatieObject)
@@ -627,6 +639,7 @@ def test_eio_delete(self):
         )
         lock = self.client.post(f"{eio_url}/lock").data["lock"]
         self.client.patch(eio_url, {"beschrijving": "beschrijving2", "lock": lock})
+        self.client.post(f"{eio_url}/unlock", {"lock": lock})
 
         response = self.client.delete(eio_url)
         self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)

diff --git a/src/openzaak/components/documenten/tests/test_enkelvoudiginformatieobject_cmis.py b/src/openzaak/components/documenten/tests/test_enkelvoudiginformatieobject_cmis.py
@@ -622,6 +622,7 @@ def test_eio_delete(self):
         )
         lock = self.client.post(f"{eio_url}/lock").data["lock"]
         self.client.patch(eio_url, {"beschrijving": "beschrijving2", "lock": lock})
+        self.client.post(f"{eio_url}/unlock", {"lock": lock})
 
         response = self.client.delete(eio_url)
         self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)