diff --git a/backend/app/models/event.py b/backend/app/models/event.py index 52a3c2c..0523e08 100644 --- a/backend/app/models/event.py +++ b/backend/app/models/event.py @@ -76,8 +76,8 @@ class Event(mixin.RowId, EventBase, table=True): # --- back_populates links ------------------------------------------------- # --- many-to-many links --------------------------------------------------- - user_links: list["EventUserLink"] = Relationship(back_populates="event") - team_links: list["Team"] = Relationship(back_populates="event") + user_links: list["EventUserLink"] = Relationship(back_populates="event", cascade_delete=True) + team_links: list["Team"] = Relationship(back_populates="event", cascade_delete=True) # --- CRUD actions --------------------------------------------------------- @classmethod diff --git a/backend/app/tests/api/routes/test_events.py b/backend/app/tests/api/routes/test_events.py index 1c0d95d..4b87563 100644 --- a/backend/app/tests/api/routes/test_events.py +++ b/backend/app/tests/api/routes/test_events.py @@ -4,7 +4,9 @@ from fastapi.testclient import TestClient from sqlmodel import Session from app.core.config import settings +from app.models.user import PermissionRight from app.tests.utils.event import create_random_event +from app.tests.utils.user import create_random_user, authentication_token_from_user def test_create_event(client: TestClient, superuser_token_headers: dict[str, str]) -> None: @@ -169,10 +171,55 @@ def test_delete_event_not_enough_permissions( assert content["detail"] == "Not enough permissions" +def test_delete_event_admin_user( + client: TestClient, db: Session +) -> None: + event = create_random_event(db) + user = create_random_user(db) + event.add_user(user=user, rights=PermissionRight.ADMIN, session=db) + + response = client.delete( + f"{settings.API_V1_STR}/events/{event.id}", + headers=authentication_token_from_user(db=db, user=user, client=client), + ) + assert response.status_code == 200 + content = response.json() + assert content["message"] == "Event deleted successfully" + + +def test_delete_event_not_enough_permissions_for_this_event( + client: TestClient, db: Session +) -> None: + event = create_random_event(db) + user = create_random_user(db) + + response = client.delete( + f"{settings.API_V1_STR}/events/{event.id}", + headers=authentication_token_from_user(db=db, user=user, client=client), + ) + assert response.status_code == 400 + content = response.json() + assert content["detail"] == "Not enough permissions" + + +def test_delete_event_event_user_read_only_rights( + client: TestClient, db: Session +) -> None: + event = create_random_event(db) + user = create_random_user(db) + event.add_user(user=user, rights=PermissionRight.READ, session=db) + + response = client.delete( + f"{settings.API_V1_STR}/events/{event.id}", + headers=authentication_token_from_user(db=db, user=user, client=client), + ) + assert response.status_code == 400 + content = response.json() + assert content["detail"] == "Not enough permissions" + + # TODO: Add user (super, less rights, own rights, more rights) (*** user without rights) # TODO: Edit user rights (super, less rights, own rights, more rights) (*** user without rights) # TODO: Remove user (*** user without rights) # TODO: Remove own user (is allowed) # TODO: Remove not linked user -# TODO: Remove event when no rights -# TODO: Remove event when READ rights diff --git a/backend/app/tests/utils/user.py b/backend/app/tests/utils/user.py index ee5b0ed..6b84198 100644 --- a/backend/app/tests/utils/user.py +++ b/backend/app/tests/utils/user.py @@ -46,3 +46,20 @@ def authentication_token_from_email( user = User.update(session=db, db_obj=user, in_obj=user_in_update) return user_authentication_headers(client=client, email=email, password=password) + + +def authentication_token_from_user( + *, client: TestClient, user: User, db: Session +) -> dict[str, str]: + """ + Return a valid token for the user with given email. + + If the user doesn't exist it is created first. + """ + password = random_lower_string() + user_in_update = UserUpdate(password=password) + if not user.id: + raise Exception("User id not set") + user = User.update(session=db, db_obj=user, in_obj=user_in_update) + + return user_authentication_headers(client=client, email=str(user.email), password=password)