Add test cases for assets for staff

josh1248 · josh1248 · commit 66b5b4cba3fe · 2024-10-13T20:29:43.000+08:00
Create test cases to indicate that non-admin staff can only read assets,
but not create, modify, or delete them.
diff --git a/lib/cadet_web/router.ex b/lib/cadet_web/router.ex
@@ -136,7 +136,6 @@ defmodule CadetWeb.Router do
   scope "/v2/courses/:course_id/admin", CadetWeb do
     pipe_through([:api, :auth, :ensure_auth, :course, :ensure_admin])
 
-    get("/assets/:foldername", AdminAssetsController, :index)
     post("/assets/:foldername/*filename", AdminAssetsController, :upload)
     delete("/assets/:foldername/*filename", AdminAssetsController, :delete)
 
@@ -189,6 +188,8 @@ defmodule CadetWeb.Router do
       :get_score_leaderboard
     )
 
+    get("/assets/:foldername", AdminAssetsController, :index)
+
     get("/grading", AdminGradingController, :index)
     get("/grading/summary", AdminGradingController, :grading_summary)
 
diff --git a/test/cadet_web/admin_controllers/admin_assets_controller_test.exs b/test/cadet_web/admin_controllers/admin_assets_controller_test.exs
@@ -68,6 +68,35 @@ defmodule CadetWeb.AdminAssetsControllerTest do
     end
   end
 
+  describe "read-only permission for staff" do
+    @tag authenticate: :staff
+    test "GET /assets/:foldername", %{conn: conn} do
+      course_id = conn.assigns.course_id
+      conn = get(conn, build_url(course_id, "testFolder"), %{})
+      assert response(conn, 200) =~ "OK"
+    end
+
+    @tag authenticate: :staff
+    test "DELETE /assets/:foldername/*filename", %{conn: conn} do
+      course_id = conn.assigns.course_id
+      conn = delete(conn, build_url(course_id, "testFolder/testFile.png"))
+
+      assert response(conn, 403) =~ "Forbidden"
+    end
+
+    @tag authenticate: :staff
+    test "POST /assets/:foldername/*filename", %{conn: conn} do
+      course_id = conn.assigns.course_id
+
+      conn =
+        post(conn, build_url(course_id, "testFolder/testFile.png"), %{
+          :upload => build_upload("test/fixtures/upload.png")
+        })
+
+      assert response(conn, 403) =~ "Forbidden"
+    end
+  end
+
   describe "inaccessible folder name" do
     @tag authenticate: :staff
     test "index files", %{conn: conn} do
