Change updateUser endpoint to updateStaffUser

Endpoint only works for staff users, and there is now need for another user update endpoint that can update other user data.
City-of-Helsinki · Oct 8, 2024 · 16dd1ae · 16dd1ae
1 parent 443444d
commit 16dd1ae
Show file tree

Hide file tree

Showing 10 changed files with 138 additions and 114 deletions.
diff --git a/tests/test_graphql_api/test_user/helpers.py b/tests/test_graphql_api/test_user/helpers.py
@@ -1,5 +1,7 @@
 from functools import partial
 
-from graphene_django_extensions.testing import build_query
+from graphene_django_extensions.testing import build_mutation, build_query
 
 current_user_query = partial(build_query, "currentUser")
+
+STAFF_UPDATE_MUTATION = build_mutation("updateStaffUser", "UserStaffUpdateMutation")
diff --git a/tests/test_graphql_api/test_user/test_update.py b/tests/test_graphql_api/test_user/test_update.py
diff --git a/tests/test_graphql_api/test_user/test_update_permissions.py b/tests/test_graphql_api/test_user/test_update_permissions.py
diff --git a/tests/test_graphql_api/test_user/test_update_staff.py b/tests/test_graphql_api/test_user/test_update_staff.py
@@ -0,0 +1,29 @@
+import pytest
+
+from tests.factories import UserFactory
+from tilavarauspalvelu.enums import ReservationNotification
+
+from .helpers import STAFF_UPDATE_MUTATION
+
+# Applied to all tests
+pytestmark = [
+    pytest.mark.django_db,
+]
+
+
+def test_user__update_staff(graphql):
+    user = UserFactory.create_superuser(reservation_notification=ReservationNotification.ONLY_HANDLING_REQUIRED)
+
+    data = {
+        "pk": user.pk,
+        "reservationNotification": ReservationNotification.NONE.value.upper(),
+    }
+
+    graphql.force_login(user)
+    response = graphql(STAFF_UPDATE_MUTATION, input_data=data)
+
+    assert response.has_errors is False
+    assert response.first_query_object["pk"] == user.pk
+
+    user.refresh_from_db()
+    assert user.reservation_notification == ReservationNotification.NONE
diff --git a/tests/test_graphql_api/test_user/test_update_staff_permissions.py b/tests/test_graphql_api/test_user/test_update_staff_permissions.py
@@ -0,0 +1,84 @@
+import pytest
+
+from tests.factories import UserFactory
+from tilavarauspalvelu.enums import ReservationNotification, UserRoleChoice
+
+from .helpers import STAFF_UPDATE_MUTATION
+
+# Applied to all tests
+pytestmark = [
+    pytest.mark.django_db,
+]
+
+
+def test_user__update__superuser(graphql):
+    user = UserFactory.create_superuser(reservation_notification=ReservationNotification.ONLY_HANDLING_REQUIRED)
+    graphql.force_login(user)
+
+    data = {
+        "pk": user.pk,
+        "reservationNotification": ReservationNotification.NONE.value.upper(),
+    }
+    response = graphql(STAFF_UPDATE_MUTATION, input_data=data)
+
+    assert response.has_errors is False
+
+    user.refresh_from_db()
+    assert user.reservation_notification == ReservationNotification.NONE
+
+
+def test_user__update__anonymous_user(graphql):
+    user = UserFactory.create(reservation_notification=ReservationNotification.ONLY_HANDLING_REQUIRED)
+
+    data = {
+        "pk": user.pk,
+        "reservationNotification": ReservationNotification.NONE.value.upper(),
+    }
+    response = graphql(STAFF_UPDATE_MUTATION, input_data=data)
+
+    assert response.error_message() == "No permission to update."
+
+
+def test_user__update__cannot_update_other_user(graphql):
+    user = UserFactory.create_superuser(reservation_notification=ReservationNotification.ONLY_HANDLING_REQUIRED)
+    graphql.login_with_regular_user()
+
+    data = {
+        "pk": user.pk,
+        "reservationNotification": ReservationNotification.NONE.value.upper(),
+    }
+    response = graphql(STAFF_UPDATE_MUTATION, input_data=data)
+
+    assert response.error_message() == "No permission to update."
+
+
+def test_user__update__regular_user(graphql):
+    user = UserFactory.create(reservation_notification=ReservationNotification.ONLY_HANDLING_REQUIRED)
+    graphql.force_login(user)
+
+    data = {
+        "pk": user.pk,
+        "reservationNotification": ReservationNotification.NONE.value.upper(),
+    }
+    response = graphql(STAFF_UPDATE_MUTATION, input_data=data)
+
+    assert response.error_message() == "No permission to update."
+
+
+def test_user__update__admin_user(graphql):
+    user = UserFactory.create_with_general_role(
+        role=UserRoleChoice.ADMIN,
+        reservation_notification=ReservationNotification.ONLY_HANDLING_REQUIRED,
+    )
+    graphql.force_login(user)
+
+    data = {
+        "pk": user.pk,
+        "reservationNotification": ReservationNotification.NONE.value.upper(),
+    }
+    response = graphql(STAFF_UPDATE_MUTATION, input_data=data)
+
+    assert response.has_errors is False
+
+    user.refresh_from_db()
+    assert user.reservation_notification == ReservationNotification.NONE
diff --git a/tilavarauspalvelu/api/graphql/mutations.py b/tilavarauspalvelu/api/graphql/mutations.py
@@ -75,7 +75,7 @@
 from .types.resource.mutations import ResourceCreateMutation, ResourceDeleteMutation, ResourceUpdateMutation
 from .types.space.mutations import SpaceCreateMutation, SpaceDeleteMutation, SpaceUpdateMutation
 from .types.unit.mutations import UnitUpdateMutation
-from .types.user.mutations import UserUpdateMutation
+from .types.user.mutations import UserStaffUpdateMutation
 
 __all__ = [
     "AllocatedTimeSlotCreateMutation",
@@ -134,5 +134,5 @@
     "SpaceDeleteMutation",
     "SpaceUpdateMutation",
     "UnitUpdateMutation",
-    "UserUpdateMutation",
+    "UserStaffUpdateMutation",
 ]
diff --git a/tilavarauspalvelu/api/graphql/schema.py b/tilavarauspalvelu/api/graphql/schema.py
@@ -75,7 +75,7 @@
     SpaceDeleteMutation,
     SpaceUpdateMutation,
     UnitUpdateMutation,
-    UserUpdateMutation,
+    UserStaffUpdateMutation,
 )
 from .queries import (
     AgeGroupNode,
@@ -345,7 +345,7 @@ class Mutation(graphene.ObjectType):
     refresh_order = RefreshOrderMutation.Field()
     #
     # User
-    update_user = UserUpdateMutation.Field()
+    update_staff_user = UserStaffUpdateMutation.Field()
     #
     # Misc.
     create_banner_notification = BannerNotificationCreateMutation.Field()

diff --git a/tilavarauspalvelu/api/graphql/types/user/mutations.py b/tilavarauspalvelu/api/graphql/types/user/mutations.py
@@ -1,10 +1,14 @@
 from graphene_django_extensions import UpdateMutation
 
-from .permissions import UserPermission
-from .serializers import UserUpdateSerializer
+from .permissions import UserStaffPermission
+from .serializers import UserStaffUpdateSerializer
 
+__all__ = [
+    "UserStaffUpdateMutation",
+]
 
-class UserUpdateMutation(UpdateMutation):
+
+class UserStaffUpdateMutation(UpdateMutation):
     class Meta:
-        serializer_class = UserUpdateSerializer
-        permission_classes = [UserPermission]
+        serializer_class = UserStaffUpdateSerializer
+        permission_classes = [UserStaffPermission]
diff --git a/tilavarauspalvelu/api/graphql/types/user/permissions.py b/tilavarauspalvelu/api/graphql/types/user/permissions.py
@@ -11,7 +11,7 @@
     from tilavarauspalvelu.typing import AnyUser
 
 __all__ = [
-    "UserPermission",
+    "UserStaffPermission",
 ]
 
 
@@ -28,6 +28,12 @@ def has_filter_permission(cls, user: AnyUser, filters: GraphQLFilterInfo) -> boo
     def has_mutation_permission(cls, user: AnyUser, input_data: dict[str, Any]) -> bool:
         return False
 
+    @classmethod
+    def has_update_permission(cls, instance: User, user: AnyUser, input_data: dict[str, Any]) -> bool:
+        return user == instance  # Can only update own information.
+
+
+class UserStaffPermission(BasePermission):
     @classmethod
     def has_update_permission(cls, instance: User, user: AnyUser, input_data: dict[str, Any]) -> bool:
         if user != instance:  # Can only update self.

diff --git a/tilavarauspalvelu/api/graphql/types/user/serializers.py b/tilavarauspalvelu/api/graphql/types/user/serializers.py
@@ -3,11 +3,11 @@
 from tilavarauspalvelu.models import User
 
 __all__ = [
-    "UserUpdateSerializer",
+    "UserStaffUpdateSerializer",
 ]
 
 
-class UserUpdateSerializer(NestingModelSerializer):
+class UserStaffUpdateSerializer(NestingModelSerializer):
     class Meta:
         model = User
         fields = [