Added tests

Author: adamspd

appointment/tests/test_views.py

@@ -224,6 +224,41 @@ def test_delete_appointment_ajax(self):
         appointment_exists = Appointment.objects.filter(pk=self.appointment.id).exists()
         self.assertFalse(appointment_exists, "Appointment should be deleted but still exists.")
 
+    def test_delete_appointment_without_permission(self):
+        """Test that deleting an appointment without permission fails."""
+        self.need_staff_login()  # Login as a regular staff user
+
+        # Try to delete an appointment belonging to a different staff member
+        different_appointment = self.create_appointment_for_user2()
+        url = reverse('appointment:delete_appointment', args=[different_appointment.id])
+
+        response = self.client.post(url)
+
+        # Check that the user is redirected due to lack of permissions
+        self.assertEqual(response.status_code, 403)
+
+        # Verify that the appointment still exists in the database
+        self.assertTrue(Appointment.objects.filter(id=different_appointment.id).exists())
+
+    def test_delete_appointment_ajax_without_permission(self):
+        """Test that deleting an appointment via AJAX without permission fails."""
+        self.need_staff_login()  # Login as a regular staff user
+
+        # Try to delete an appointment belonging to a different staff member
+        different_appointment = self.create_appointment_for_user2()
+        url = reverse('appointment:delete_appointment_ajax')
+
+        response = self.client.post(url, {'appointment_id': different_appointment.id}, content_type='application/json')
+
+        # Check that the response indicates failure due to lack of permissions
+        self.assertEqual(response.status_code, 403)
+        response_data = response.json()
+        self.assertEqual(response_data['message'], _("You can only delete your own appointments."))
+        self.assertFalse(response_data['success'])
+
+        # Verify that the appointment still exists in the database
+        self.assertTrue(Appointment.objects.filter(id=different_appointment.id).exists())
+
     def test_remove_staff_member(self):
         self.need_superuser_login()
         self.clean_staff_member_objects()

appointment/utils/permissions.py

@@ -27,3 +27,11 @@ def check_permissions(staff_user_id, user):
     if (staff_user_id and int(staff_user_id) == user.pk) or user.is_superuser:
         return True
     return False
+
+
+def has_permission_to_delete_appointment(user, appointment):
+    """
+    Check if the user has permission to delete the given appointment.
+    Returns True if the user has permission, False otherwise.
+    """
+    return check_extensive_permissions(appointment.get_staff_member().user_id, user, appointment)

appointment/views_admin.py

@@ -33,7 +33,8 @@
 from appointment.utils.json_context import (
     convert_appointment_to_json, get_generic_context, get_generic_context_with_extra, handle_unauthorized_response,
     json_response)
-from appointment.utils.permissions import check_extensive_permissions, check_permissions
+from appointment.utils.permissions import check_extensive_permissions, check_permissions, \
+    has_permission_to_delete_appointment
 
 
 ###############################################################
@@ -454,6 +455,8 @@ def delete_service(request, service_id):
 
 ###############################################################
 # Remove staff member
+@require_user_authenticated
+@require_superuser
 def remove_staff_member(request, staff_user_id):
     staff_member = get_object_or_404(StaffMember, user_id=staff_user_id)
     staff_member.delete()
@@ -491,7 +494,7 @@ def get_service_list(request, response_type='html'):
 @require_staff_or_superuser
 def delete_appointment(request, appointment_id):
     appointment = get_object_or_404(Appointment, pk=appointment_id)
-    if not check_extensive_permissions(appointment.get_staff_member().user_id, request.user, appointment):
+    if not has_permission_to_delete_appointment(request.user, appointment):
         message = _("You can only delete your own appointments.")
         return handle_unauthorized_response(request, message, 'html')
     appointment.delete()
@@ -505,7 +508,7 @@ def delete_appointment_ajax(request):
     data = json.loads(request.body)
     appointment_id = data.get("appointment_id")
     appointment = get_object_or_404(Appointment, pk=appointment_id)
-    if not check_extensive_permissions(appointment.get_staff_member().user_id, request.user, appointment):
+    if not has_permission_to_delete_appointment(request.user, appointment):
         message = _("You can only delete your own appointments.")
         return json_response(message, status=403, success=False, error_code=ErrorCode.NOT_AUTHORIZED)
     appointment.delete()