finish implement and test students API permissions

oser_cs/tests/test_api/test_student_api.py

@@ -13,16 +13,34 @@ class StudentEndpointsTest(HyperlinkedAPITestCase):
     factory = StudentFactory
     serializer_class = StudentSerializer
 
-    def test_list(self):
+    def perform_list(self):
         response = self.client.get('/api/students/')
-        self.assertEqual(response.status_code, 200)
+        return response
 
-    def test_retrieve(self):
+    def test_list_anonymous_is_forbidden(self):
+        """Test anonymous users cannot list students."""
+        self.assertForbidden(self.perform_list, user=None)
+
+    def test_list_authenticated_is_allowed(self):
+        """Test an authenticated user can list students."""
+        self.assertAuthorized(self.perform_list, user=UserFactory.create(),
+                              expected_status_code=status.HTTP_200_OK)
+
+    def perform_retrieve(self):
         obj = self.factory.create()
         response = self.client.get(f'/api/students/{obj.pk}/')
-        self.assertEqual(response.status_code, 200)
+        return response
+
+    def test_retrieve_anonymous_is_forbidden(self):
+        """Test anonymous users cannot retrieve a student."""
+        self.assertForbidden(self.perform_list, user=None)
 
-    def test_create(self):
+    def test_retrieve_authenticated_is_allowed(self):
+        """Test an authenticated user can retrieve a student."""
+        self.assertAuthorized(self.perform_retrieve, user=UserFactory.create(),
+                              expected_status_code=status.HTTP_200_OK)
+
+    def perform_create(self):
         url = '/api/students/'
         user = UserFactory.create()
         tutoring_group = TutoringGroupFactory.create()
@@ -31,28 +49,87 @@ class StudentEndpointsTest(HyperlinkedAPITestCase):
                                  school=tutoring_group.school)
         data = self.serialize(obj, 'post', url)
         response = self.client.post(url, data, format='json')
-        self.assertEqual(response.status_code, status.HTTP_201_CREATED,
-                         response.data)
+        return response
+
+    def test_create_anonymous_is_allowed(self):
+        """Test anonymous users can create a new student.
 
-    def test_update(self):
+        (Provided they are authenticated into the API.)
+        """
+        self.assertAuthorized(self.perform_create, user=None,
+                              expected_status_code=status.HTTP_201_CREATED)
+
+    def perform_update(self, obj=None):
+        if obj is None:
             obj = self.factory.create()
         url = f'/api/students/{obj.pk}/'
         data = self.serialize(obj, 'put', url)
         data['address'] = 'Modified address'
         response = self.client.put(url, data, format='json')
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        return response
+
+    def test_update_anonymous_is_forbidden(self):
+        """Test anonymous users cannot update a student."""
+        self.assertForbidden(self.perform_update, user=None)
+
+    def test_update_authenticated_is_forbidden(self):
+        """Test an authenticated user cannot update any student."""
+        self.assertForbidden(self.perform_update, user=UserFactory.create())
+
+    def test_update_authenticated_self_is_allowed(self):
+        """Test an authenticated user can update its student profile."""
+        obj = self.factory.create()
+        user = obj.user
+        self.assertAuthorized(lambda: self.perform_update(obj=obj), user=user,
+                              expected_status_code=status.HTTP_200_OK)
 
-    def test_partial_update(self):
+    def perform_partial_update(self, obj=None):
+        if obj is None:
             obj = self.factory.create()
         response = self.client.patch(f'/api/students/{obj.pk}/',
                                      data={'address': 'Modified address'},
                                      format='json')
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        return response
+
+    def test_partial_update_anonymous_is_forbidden(self):
+        """Test anonymous users cannot partially update a student."""
+        self.assertForbidden(self.perform_partial_update, user=None)
+
+    def test_partial_update_authenticated_is_forbidden(self):
+        """Test an authenticated user cannot partially update any student."""
+        self.assertForbidden(self.perform_partial_update,
+                             user=UserFactory.create())
+
+    def test_partial_update_authenticated_self_is_allowed(self):
+        """Test authenticated user can partially update its student profile."""
+        obj = self.factory.create()
+        user = obj.user
+        self.assertAuthorized(lambda: self.perform_partial_update(obj=obj),
+                              user=user,
+                              expected_status_code=status.HTTP_200_OK)
 
-    def test_delete(self):
+    def perform_delete(self, obj=None):
+        if obj is None:
             obj = self.factory.create()
         response = self.client.delete(f'/api/students/{obj.pk}/')
-        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+        return response
+
+    def test_delete_anonymous_is_forbidden(self):
+        """Test anonymous users cannot delete a student."""
+        self.assertForbidden(self.perform_delete, user=None)
+
+    def test_delete_authenticated_is_forbidden(self):
+        """Test an authenticated user cannot delete any student."""
+        self.assertForbidden(self.perform_delete,
+                             user=UserFactory.create())
+
+    def test_delete_authenticated_self_is_allowed(self):
+        """Test authenticated user can delete its student profile."""
+        obj = self.factory.create()
+        user = obj.user
+        self.assertAuthorized(lambda: self.perform_delete(obj=obj),
+                              user=user,
+                              expected_status_code=status.HTTP_204_NO_CONTENT)
 
     def test_retrieve_tutoring_group(self):
         pass  # TODO

oser_cs/tests/test_api/test_users_api.py

@@ -18,11 +18,11 @@ class UserEndpointsTest(HyperlinkedAPITestCase):
         return response
 
     def test_list_anonymous_is_forbidden(self):
-        """Visitors cannot list users."""
+        """Test anonymous user cannot list users."""
         self.assertForbidden(self.perform_list, user=None)
 
     def test_list_authenticated_is_allowed(self):
-        """Test that authenticated can list users."""
+        """Test that authenticated user can list users."""
         self.assertAuthorized(self.perform_list, user=UserFactory.create(),
                               expected_status_code=status.HTTP_200_OK)
 

oser_cs/tests/test_users/test_school_staff_member.py

@@ -33,7 +33,8 @@ class SchoolStaffMemberTestCase(ModelTestCase):
         self.obj = SchoolStaffMemberFactory.create()
 
     def test_get_absolute_url(self):
-        response = self.client.get(f'/api/schoolstaffmembers/{self.obj.pk}/')
+        url = self.obj.get_absolute_url()
+        response = self.client.get(url)
         self.assertEqual(200, response.status_code)
 
     def test_school_one_to_many_relationship(self):

oser_cs/tests/test_users/test_student.py

@@ -3,7 +3,7 @@
 from django.contrib.auth import get_user_model
 from users.models import Student
 
-from tests.factory import StudentFactory
+from tests.factory import StudentFactory, UserFactory
 from tests.utils import ModelTestCase
 
 
@@ -32,5 +32,7 @@ class StudentTestCase(ModelTestCase):
         self.obj = StudentFactory.create()
 
     def test_get_absolute_url(self):
-        response = self.client.get(f'/api/students/{self.obj.pk}/')
+        self.client.force_login(UserFactory.create())
+        url = self.obj.get_absolute_url()
+        response = self.client.get(url)
         self.assertEqual(200, response.status_code)

oser_cs/tests/test_users/test_tutor.py

@@ -31,5 +31,6 @@ class TutorTestCase(ModelTestCase):
         self.obj = TutorFactory.create()
 
     def test_get_absolute_url(self):
-        response = self.client.get(f'/api/tutors/{self.obj.pk}/')
+        url = self.obj.get_absolute_url()
+        response = self.client.get(url)
         self.assertEqual(200, response.status_code)

oser_cs/tests/test_users/test_user.py

@@ -81,7 +81,8 @@ class UserModelTest(ModelTestCase):
 
     def test_get_absolute_url(self):
         self.client.force_login(self.obj)
-        response = self.client.get(f'/api/users/{self.obj.pk}/')
+        url = self.obj.get_absolute_url()
+        response = self.client.get(url)
         self.assertEqual(200, response.status_code)
 
     def test_two_users_with_same_username_allowed(self):

oser_cs/users/models/profiles.py

@@ -3,6 +3,7 @@
 from django.db import models
 from django.apps import apps
 from django.shortcuts import reverse
+from dry_rest_permissions.generics import authenticated_users
 from ..utils import get_promotion_range
 from ..apps import UsersConfig
 
@@ -121,6 +122,24 @@ class Student(Profile):
     def get_absolute_url(self):
         return reverse('api:student-detail', args=[str(self.id)])
 
+    @staticmethod
+    @authenticated_users
+    def has_read_permission(request):
+        return True
+
+    @authenticated_users
+    def has_object_read_permission(self, request):
+        return True
+
+    @staticmethod
+    def has_write_permission(request):
+        """Anyone can create a student object."""
+        return True
+
+    @authenticated_users
+    def has_object_write_permission(self, request):
+        return request.user.id == self.user.id
+
 
 class Tutor(Profile):
     """Represents a tutor profile.

oser_cs/users/views.py

@@ -71,6 +71,7 @@ class StudentViewSet(viewsets.ModelViewSet):
 
     queryset = Student.objects.all()
     serializer_class = StudentSerializer
+    permission_classes = (DRYPermissions,)
 
 
 class SchoolStaffMemberViewSet(ListModelMixin,