Merge remote-tracking branch 'origin/edr_integration'

openprocurement · May 22, 2017 · b34836b · b34836b
2 parents 555ca94 + c82cdc5
commit b34836b
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 1 deletion.
diff --git a/openprocurement/tender/openua/tests/auth.ini b/openprocurement/tender/openua/tests/auth.ini
@@ -18,4 +18,7 @@ broker05 = broker05
 reviewer = reviewer
 
 [admins]
-test = token
+test = token
+
+[bots]
+bot = bot
diff --git a/openprocurement/tender/openua/tests/award.py b/openprocurement/tender/openua/tests/award.py
@@ -2358,6 +2358,44 @@ def test_patch_tender_award_document(self):
         self.assertEqual(response.content_type, 'application/json')
         self.assertEqual(response.json['errors'][0]["description"], "Can't update document in current (complete) tender status")
 
+    def test_create_award_document_bot(self):
+        old = self.app.authorization
+        self.app.authorization = ('Basic', ('bot', 'bot'))
+        response = self.app.post('/tenders/{}/awards/{}/documents'.format(
+            self.tender_id, self.award_id), upload_files=[('file', 'edr_request.yaml', 'content')])
+        self.assertEqual(response.status, '201 Created')
+        self.assertEqual(response.content_type, 'application/json')
+        doc_id = response.json["data"]['id']
+        self.assertIn(doc_id, response.headers['Location'])
+        self.assertEqual('edr_request.yaml', response.json["data"]["title"])
+        if self.docservice:
+            self.assertIn('Signature=', response.json["data"]["url"])
+            self.assertIn('KeyID=', response.json["data"]["url"])
+            self.assertNotIn('Expires=', response.json["data"]["url"])
+            key = response.json["data"]["url"].split('/')[-1].split('?')[0]
+            tender = self.db.get(self.tender_id)
+            self.assertIn(key, tender['awards'][-1]['documents'][-1]["url"])
+            self.assertIn('Signature=', tender['awards'][-1]['documents'][-1]["url"])
+            self.assertIn('KeyID=', tender['awards'][-1]['documents'][-1]["url"])
+            self.assertNotIn('Expires=', tender['awards'][-1]['documents'][-1]["url"])
+        self.app.authorization = old
+
+    def test_patch_not_author(self):
+        authorization = self.app.authorization
+        self.app.authorization = ('Basic', ('bot', 'bot'))
+        response = self.app.post('/tenders/{}/awards/{}/documents'.format(self.tender_id, self.award_id),
+                                 upload_files=[('file', 'name.doc', 'content')])
+        self.assertEqual(response.status, '201 Created')
+        self.assertEqual(response.content_type, 'application/json')
+        doc_id = response.json["data"]['id']
+        self.assertIn(doc_id, response.headers['Location'])
+        self.app.authorization = authorization
+        response = self.app.patch_json('/tenders/{}/awards/{}/documents/{}?acc_token={}'.format(self.tender_id, self.award_id, doc_id, self.tender_token),
+                                       {"data": {"description": "document description"}}, status=403)
+        self.assertEqual(response.status, '403 Forbidden')
+        self.assertEqual(response.content_type, 'application/json')
+        self.assertEqual(response.json['errors'][0]["description"], "Can update document only author")
+
 
 class Tender2LotAwardDocumentResourceTest(BaseTenderUAContentWebTest):
     initial_status = 'active.qualification'

diff --git a/openprocurement/tender/openua/tests/tender.py b/openprocurement/tender/openua/tests/tender.py
@@ -1212,6 +1212,29 @@ def test_tender_Administrator_change(self):
         self.assertEqual(response.content_type, 'application/json')
         self.assertEqual(response.json['data']['mode'], u'test')
 
+    def test_patch_not_author(self):
+        response = self.app.post_json('/tenders', {'data': test_tender_data})
+        self.assertEqual(response.status, '201 Created')
+        tender = response.json['data']
+        owner_token = response.json['access']['token']
+
+        authorization = self.app.authorization
+        self.app.authorization = ('Basic', ('bot', 'bot'))
+
+        response = self.app.post('/tenders/{}/documents'.format(tender['id']),
+                                 upload_files=[('file', 'name.doc', 'content')])
+        self.assertEqual(response.status, '201 Created')
+        self.assertEqual(response.content_type, 'application/json')
+        doc_id = response.json["data"]['id']
+        self.assertIn(doc_id, response.headers['Location'])
+
+        self.app.authorization = authorization
+        response = self.app.patch_json('/tenders/{}/documents/{}?acc_token={}'.format(tender['id'], doc_id, owner_token),
+                                       {"data": {"description": "document description"}}, status=403)
+        self.assertEqual(response.status, '403 Forbidden')
+        self.assertEqual(response.content_type, 'application/json')
+        self.assertEqual(response.json['errors'][0]["description"], "Can update document only author")
+
 
 class TenderUAProcessTest(BaseTenderUAWebTest):
 

diff --git a/openprocurement/tender/openua/views/award_document.py b/openprocurement/tender/openua/views/award_document.py
@@ -23,4 +23,8 @@ def validate_award_document(self, operation):
             self.request.errors.add('body', 'data', 'Can\'t {} document with accepted complaint')
             self.request.errors.status = 403
             return
+        if operation == 'update' and self.request.authenticated_role != (self.context.author or 'tender_owner'):
+            self.request.errors.add('url', 'role', 'Can update document only author')
+            self.request.errors.status = 403
+            return
         return True
diff --git a/openprocurement/tender/openua/views/tender_document.py b/openprocurement/tender/openua/views/tender_document.py
@@ -24,6 +24,10 @@ def validate_update_tender(self, operation):
             self.request.errors.add('body', 'data', 'tenderPeriod should be extended by {0.days} days'.format(TENDERING_EXTRA_PERIOD))
             self.request.errors.status = 403
             return
+        if operation == 'update' and self.request.authenticated_role != (self.context.author or 'tender_owner'):
+            self.request.errors.add('url', 'role', 'Can update document only author')
+            self.request.errors.status = 403
+            return
         return True
 
     @json_view(permission='upload_tender_documents', validators=(validate_file_upload,))
@@ -32,6 +36,7 @@ def collection_post(self):
         if not self.validate_update_tender('add'):
             return
         document = upload_file(self.request)
+        document.author = self.request.authenticated_role
         self.context.documents.append(document)
         if self.request.authenticated_role == 'tender_owner' and self.request.validated['tender_status'] == 'active.tendering':
             self.context.invalidate_bids_data()