@@ -111,12 +111,18 @@ def testDeletePermissions(self):
111111 """The delete view should only be accessible to 'moderators'"""
112112 comments = self .createSomeComments ()
113113 pk = comments [0 ].pk
114- self .client .login (username = "normaluser" , password = "normaluser" )
114+
115+ # Test that we redirect to login page if not logged in.
115116 response = self .client .get ("/delete/%d/" % pk )
116117 self .assertRedirects (response ,
117118 "/accounts/login/?next=/delete/%d/" % pk ,
118119 fetch_redirect_response = False )
119120
121+ # Test that we return forbidden if you're logged in but don't have access.
122+ self .client .login (username = "normaluser" , password = "normaluser" )
123+ response = self .client .get ("/delete/%d/" % pk )
124+ self .assertEqual (response .status_code , 403 )
125+
120126 makeModerator ("normaluser" )
121127 response = self .client .get ("/delete/%d/" % pk )
122128 self .assertEqual (response .status_code , 200 )
@@ -185,14 +191,21 @@ def testApprovePermissions(self):
185191 """The approve view should only be accessible to 'moderators'"""
186192 comments = self .createSomeComments ()
187193 pk = comments [0 ].pk
188- self .client .login (username = "normaluser" , password = "normaluser" )
194+
195+ # Test that we redirect to login page if not logged in.
189196 response = self .client .get ("/approve/%d/" % pk )
190197 self .assertRedirects (
191198 response ,
192199 "/accounts/login/?next=/approve/%d/" % pk ,
193200 fetch_redirect_response = False
194201 )
195202
203+ # Test that we return forbidden if you're logged in but don't have access.
204+ self .client .login (username = "normaluser" , password = "normaluser" )
205+ response = self .client .get ("/approve/%d/" % pk )
206+ self .assertEqual (response .status_code , 403 )
207+
208+ # Verify that moderators can view this view.
196209 makeModerator ("normaluser" )
197210 response = self .client .get ("/approve/%d/" % pk )
198211 self .assertEqual (response .status_code , 200 )
0 commit comments