Merge pull request #2100 from antgonza/fix-edit_check_access

fixing edit check access
qiita-spots · Apr 5, 2017 · a8946bf · a8946bf
2 parents c309aa6 + 1acc9b2
commit a8946bf
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 3 deletions.
diff --git a/qiita_pet/handlers/study_handlers/base.py b/qiita_pet/handlers/study_handlers/base.py
@@ -62,6 +62,7 @@ def get(self):
 
 
 class StudyDeleteAjax(BaseHandler):
+    @authenticated
     def post(self):
         study_id = self.get_argument('study_id')
         self.write(study_delete_req(int(study_id), self.current_user.id))

diff --git a/qiita_pet/handlers/study_handlers/edit_handlers.py b/qiita_pet/handlers/study_handlers/edit_handlers.py
@@ -166,7 +166,7 @@ def _check_study_exists_and_user_access(self, study_id):
             raise HTTPError(404, "Study %s does not exist" % study_id)
 
         # We need to check if the user has access to the study
-        check_access(self.current_user, study)
+        check_access(self.current_user, study, raise_error=True)
         return study
 
     def _get_study_person_id(self, index, new_people_info):

diff --git a/qiita_pet/handlers/study_handlers/tests/test_edit_handlers.py b/qiita_pet/handlers/study_handlers/tests/test_edit_handlers.py
@@ -7,9 +7,12 @@
 # The full license is in the file LICENSE, distributed with this software.
 # -----------------------------------------------------------------------------
 from unittest import main
+from mock import Mock
 
+from qiita_pet.handlers.base_handlers import BaseHandler
 from qiita_pet.test.tornado_test_base import TestHandlerBase
 from qiita_db.study import StudyPerson, Study
+from qiita_db.user import User
 from qiita_db.util import get_count, check_count
 
 
@@ -126,13 +129,27 @@ def test_post_edit_blank_doi(self):
             'principal_investigator': study_info['principal_investigator'].id,
             'lab_person': study_info['lab_person'].id}
 
-        self.post('/study/edit/1', post_data)
-
+        response = self.post('/study/edit/1', post_data)
+        self.assertEqual(response.code, 200)
         # Check that the study was updated
         self.assertTrue(check_count('qiita.study', study_count_before))
         self.assertEqual(study.title, 'New title - test post edit')
         self.assertEqual(study.publications, [])
 
+        # check for failure
+        old_title = post_data['study_title']
+        post_data['study_title'] = 'My new title!'
+        shared = User('shared@foo.bar')
+        study.unshare(shared)
+        BaseHandler.get_current_user = Mock(return_value=shared)
+        response = self.post('/study/edit/1', post_data)
+        self.assertEqual(response.code, 403)
+        # Check that the study wasn't updated
+        self.assertEqual(study.title, old_title)
+
+        # returning sharing
+        study.share(shared)
+
 
 class TestCreateStudyAJAX(TestHandlerBase):
     def test_get(self):