Skip to content

Commit ece579f

Browse files
alex-cotsalex-cots
authored
Merge pull request #502 from CodeForPhilly/visit-ID-required-for-sep-data-473
Visit ID required for sep data closes #473
2 parents 24095c9 + 6f5a8df commit ece579f

File tree

2 files changed

+12
-6
lines changed

2 files changed

+12
-6
lines changed

core/sep_data/views.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
from rest_framework.exceptions import PermissionDenied
12
from core.viewsets import ModelViewSet
23
from core.models import SepData
34
from core.sep_data.serializers import SepDataSerializer
@@ -11,3 +12,8 @@ def get_queryset(self):
1112
if visit_id is not None:
1213
queryset = queryset.filter(visit_id=visit_id)
1314
return queryset
15+
16+
def list(self, request, *args, **kwargs):
17+
if 'visit_id' not in self.request.query_params:
18+
raise PermissionDenied('Sep data must be queried by visit id.')
19+
return super().list(request, *args, **kwargs)

core/tests/sep_data.py

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
11
import json
2-
from django.utils import timezone
32
from django.urls import reverse
43
from rest_framework import status
54
from core.models import SepData
@@ -18,21 +17,22 @@ class Sep_DataTestCase(BaseTestCase):
1817

1918
def test_get_sep_data_admin_and_ip(self):
2019
"""
21-
Ensure we can get a list of visits as admin and internal provider
20+
Ensure even high permission users cannot access all sep data objects at once.
2221
"""
2322
header1 = self.auth_headers_for_user("admin")
2423
url = reverse("sepdata-list")
2524
res1 = self.client.get(url, format="json", follow=True, **header1)
25+
expected_content = {'detail': 'Sep data must be queried by visit id.'}
2626

27-
self.assertEqual(res1.status_code, status.HTTP_200_OK)
28-
self.assertEqual(SepData.objects.count(), len(json.loads(res1.content)))
27+
self.assertEqual(res1.status_code, status.HTTP_403_FORBIDDEN)
28+
self.assertEqual(expected_content, json.loads(res1.content))
2929

3030
header2 = self.auth_headers_for_user("internal_provider")
3131
url = reverse("sepdata-list")
3232
res2 = self.client.get(url, format="json", follow=True, **header2)
3333

34-
self.assertEqual(res2.status_code, status.HTTP_200_OK)
35-
self.assertEqual(SepData.objects.count(), len(json.loads(res2.content)))
34+
self.assertEqual(res2.status_code, status.HTTP_403_FORBIDDEN)
35+
self.assertEqual(expected_content, json.loads(res2.content))
3636

3737
def test_get_sep_auth_denial_unauthorized(self):
3838
"""

0 commit comments

Comments
 (0)