tweak permissions for 400 error code and add test cases

Johnetordoff · Dec 13, 2024 · e34b928 · e34b928
1 parent a024264
commit e34b928
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 5 deletions.
diff --git a/api/requests/permissions.py b/api/requests/permissions.py
@@ -1,4 +1,4 @@
-from rest_framework import permissions as drf_permissions
+from rest_framework import exceptions, permissions as drf_permissions
 
 from api.base.utils import get_user_auth
 from osf.models import (
@@ -71,14 +71,17 @@ def has_permission(self, request, view):
 
         institution_id = request.data.get('institution')
         if not institution_id:
-            return False
+            raise exceptions.ValidationError({'institution': 'Institution is required.'})
 
         try:
             institution = Institution.objects.get(_id=institution_id)
         except Institution.DoesNotExist:
-            return False
+            raise exceptions.ValidationError({'institution': 'Institution is does not exist.'})
 
-        return get_user_auth(request).user.is_institutional_admin(institution)
+        if get_user_auth(request).user.is_institutional_admin(institution):
+            return True
+        else:
+            raise exceptions.PermissionDenied({'institution': 'You do not have permission to perform this action for this institution.'})
 
 
 class PreprintRequestPermission(drf_permissions.BasePermission):

diff --git a/api_tests/requests/views/test_node_request_list.py b/api_tests/requests/views/test_node_request_list.py
@@ -141,6 +141,10 @@ def url(self, project):
     def institution(self):
         return InstitutionFactory()
 
+    @pytest.fixture()
+    def institution2(self):
+        return InstitutionFactory()
+
     @pytest.fixture()
     def user_with_affiliation(self, institution):
         user = AuthUserFactory()
@@ -202,7 +206,7 @@ def test_non_admin_cant_make_institutional_request(self, app, project, noncontri
         """
         res = app.post_json_api(url, create_payload, auth=noncontrib.auth, expect_errors=True)
         assert res.status_code == 403
-        assert 'You do not have permission to perform this action' in res.json['errors'][0]['detail']
+        assert 'You do not have permission to perform this action for this institution.' in res.json['errors'][0]['detail']
 
     def test_institutional_admin_can_add_requested_permission(self, app, project, institutional_admin, url, create_payload):
         """
@@ -218,6 +222,38 @@ def test_institutional_admin_can_add_requested_permission(self, app, project, in
         assert node_request.request_type == NodeRequestTypes.INSTITUTIONAL_REQUEST.value
         assert node_request.requested_permissions == 'admin'
 
+    def test_institutional_admin_needs_institution(self, app, project, institutional_admin, url, create_payload):
+        """
+        Test that the payload needs the institution relationship and gives the correct error message.
+        """
+        del create_payload['data']['relationships']['institution']
+
+        res = app.post_json_api(url, create_payload, auth=institutional_admin.auth, expect_errors=True)
+        assert res.status_code == 400
+        assert 'Institution is required.' in res.json['errors'][0]['detail']
+
+    def test_institutional_admin_invalid_institution(self, app, project, institutional_admin, url, create_payload):
+        """
+        Test that the payload validates the institution relationship and gives the correct error message when it's
+        invalid.
+        """
+        create_payload['data']['relationships']['institution']['data']['id'] = 'invalid_id'
+
+        res = app.post_json_api(url, create_payload, auth=institutional_admin.auth, expect_errors=True)
+        assert res.status_code == 400
+        assert 'Institution is does not exist.' in res.json['errors'][0]['detail']
+
+    def test_institutional_admin_unauth_institution(self, app, project, institution2, institutional_admin, url, create_payload):
+        """
+        Test that the view authenticates the relationship between the institution and the user and gives the correct
+        error message when it's unauthorized.'
+        """
+        create_payload['data']['relationships']['institution']['data']['id'] = institution2._id
+
+        res = app.post_json_api(url, create_payload, auth=institutional_admin.auth, expect_errors=True)
+        assert res.status_code == 403
+        assert 'You do not have permission to perform this action for this institution.' in res.json['errors'][0]['detail']
+
     @mock.patch('api.requests.serializers.send_mail')
     def test_email_not_sent_without_recipient(self, mock_mail, app, project, institutional_admin, url,
                                                  create_payload, institution):