Only set creator when creating task (#80)

* Only set creator when creating task * allow blank form input, use clean func to keep old val * remove unneeded created_date assignment * add test
shacker · Jul 30, 2019 · 2d40ef4 · 2d40ef4
1 parent 7f576c9
commit 2d40ef4
Show file tree

Hide file tree

Showing 7 changed files with 88 additions and 2 deletions.
diff --git a/todo/forms.py b/todo/forms.py
@@ -49,6 +49,11 @@ def __init__(self, user, *args, **kwargs):
 
     note = forms.CharField(widget=forms.Textarea(), required=False)
 
+    def clean_created_by(self):
+        """Keep the existing created_by regardless of anything coming from the submitted form.
+        If creating a new task, then created_by will be None, but we set it before saving."""
+        return self.instance.created_by
+
     class Meta:
         model = Task
         exclude = []

diff --git a/todo/migrations/0011_auto_20190724_1130.py b/todo/migrations/0011_auto_20190724_1130.py
@@ -0,0 +1,20 @@
+# Generated by Django 2.1.8 on 2019-07-24 11:30
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('todo', '0010_attachment'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='task',
+            name='created_by',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='todo_created_by', to=settings.AUTH_USER_MODEL),
+        ),
+    ]
diff --git a/todo/models.py b/todo/models.py
@@ -78,6 +78,7 @@ class Task(models.Model):
     created_by = models.ForeignKey(
         settings.AUTH_USER_MODEL,
         null=True,
+        blank=True,
         related_name="todo_created_by",
         on_delete=models.CASCADE,
     )

diff --git a/todo/templates/todo/include/task_edit.html b/todo/templates/todo/include/task_edit.html
@@ -44,7 +44,6 @@
 
     <input type="hidden" name="priority"
       value="{% if form.priority.value %}{{ form.priority.value }}{% else %}999{% endif %}" id="id_priority">
-    <input type="hidden" name="created_by" value="{{ request.user.id }}" id="id_created_by">
     <input type="hidden" name="task_list" value="{{ form.task_list.value }}" id="id_task_list">
 
     <p>

diff --git a/todo/tests/conftest.py b/todo/tests/conftest.py
@@ -29,6 +29,12 @@ def todo_setup(django_user_model):
     Task.objects.create(created_by=u2, title="Task 2", task_list=tlist2, priority=2, completed=True)
     Task.objects.create(created_by=u2, title="Task 3", task_list=tlist2, priority=3)
 
+    # Add a third user for a test that needs two users in the same group.
+    extra_g2_user = django_user_model.objects.create_user(
+        username="extra_g2_user", password="password", email="extra_g2_user@example.com", is_staff=True
+    )
+    extra_g2_user.groups.add(g2)
+
 
 @pytest.fixture()
 # Set up an in-memory mail server to receive test emails

diff --git a/todo/tests/test_views.py b/todo/tests/test_views.py
@@ -133,6 +133,61 @@ def test_no_javascript_in_task_note(todo_setup, client):
     assert task.note == bleach.clean(note, strip=True)
 
 
+@pytest.mark.django_db
+def test_created_by_unchanged(todo_setup, client):
+
+    task_list = TaskList.objects.first()
+    u2 = get_user_model().objects.get(username="u2")
+    title = "Some Unique String with unique chars: ab78539e"
+    note = "a note"
+    data = {
+        "task_list": task_list.id,
+        "created_by": u2.id,
+        "priority": 10,
+        "title": title,
+        "note": note,
+        "add_edit_task": "Submit",
+    }
+
+    client.login(username="u2", password="password")
+    url_add_task = reverse("todo:list_detail", kwargs={"list_id": task_list.id, "list_slug": task_list.slug})
+
+    response = client.post(url_add_task, data)
+    assert response.status_code == 302
+
+    # Retrieve new task and compare created_by
+    task = Task.objects.get(title=title)
+    assert task.created_by == u2
+
+    # Now that we've created the task, edit it as another user.
+    # After saving, created_by should remain unchanged.
+    extra_g2_user = get_user_model().objects.get(username="extra_g2_user")
+
+    client.login(username="extra_g2_user", password="password")
+
+    url_edit_task = reverse("todo:task_detail", kwargs={"task_id": task.id})
+
+    dataTwo =  {
+        "task_list": task.task_list.id,
+        "created_by": extra_g2_user.id,   # this submission is attempting to change created_by
+        "priority": 10,
+        "title": task.title,
+        "note": "the note was changed",
+        "add_edit_task": "Submit",
+    }
+
+    response = client.post(url_edit_task, dataTwo)
+    assert response.status_code == 302
+
+    task.refresh_from_db()
+
+    # Proof that the task was saved:
+    assert task.note == "the note was changed"
+
+    # client was unable to modify created_by:
+    assert task.created_by == u2
+
+
 @pytest.mark.django_db
 def test_no_javascript_in_comments(todo_setup, client):
     user = get_user_model().objects.get(username="u2")

diff --git a/todo/views/list_detail.py b/todo/views/list_detail.py
@@ -51,7 +51,7 @@ def list_detail(request, list_id=None, list_slug=None, view_completed=False) ->
 
         if form.is_valid():
             new_task = form.save(commit=False)
-            new_task.created_date = timezone.now()
+            new_task.created_by = request.user
             new_task.note = bleach.clean(form.cleaned_data["note"], strip=True)
             form.save()