♻️(backend) refactor post hackathon to a first working version

This project was copied and hacked to make a POC in a 2-day hackathon.
We need to clean and refactor things in order to get a first version
of the product we want.

src/backend/core/tests/swagger/test_openapi_schema.py

@@ -23,7 +23,7 @@ def test_openapi_client_schema():
         "--api-version",
         "v1.0",
         "--urlconf",
-        "publish.api_urls",
+        "core.urls",
         "--format",
         "openapi-json",
         "--file",

src/backend/core/tests/teams/test_core_api_teams_create.py

@@ -1,50 +0,0 @@
-"""
-Tests for Teams API endpoint in publish's core app: create
-"""
-import pytest
-from rest_framework.test import APIClient
-from rest_framework_simplejwt.tokens import AccessToken
-
-from core.factories import IdentityFactory, TeamFactory, UserFactory
-from core.models import Team
-
-from ..utils import OIDCToken
-
-pytestmark = pytest.mark.django_db
-
-
-def test_api_teams_create_anonymous():
-    """Anonymous users should not be allowed to create teams."""
-    response = APIClient().post(
-        "/api/v1.0/teams/",
-        {
-            "name": "my team",
-        },
-    )
-
-    assert response.status_code == 401
-    assert not Team.objects.exists()
-
-
-def test_api_teams_create_authenticated():
-    """
-    Authenticated users should be able to create teams and should automatically be declared
-    as the owner of the newly created team.
-    """
-    identity = IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    response = APIClient().post(
-        "/api/v1.0/teams/",
-        {
-            "name": "my team",
-        },
-        format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 201
-    team = Team.objects.get()
-    assert team.name == "my team"
-    assert team.accesses.filter(role="owner", user=user).exists()

src/backend/core/tests/teams/test_core_api_teams_delete.py

@@ -1,107 +0,0 @@
-"""
-Tests for Teams API endpoint in publish's core app: delete
-"""
-import pytest
-from rest_framework.test import APIClient
-from rest_framework_simplejwt.tokens import AccessToken
-
-from core import factories, models
-
-from ..utils import OIDCToken
-
-pytestmark = pytest.mark.django_db
-
-
-def test_api_teams_delete_anonymous():
-    """Anonymous users should not be allowed to destroy a team."""
-    team = factories.TeamFactory()
-
-    response = APIClient().delete(
-        f"/api/v1.0/teams/{team.id!s}/",
-    )
-
-    assert response.status_code == 401
-    assert models.Team.objects.count() == 1
-
-
-def test_api_teams_delete_authenticated_unrelated():
-    """
-    Authenticated users should not be allowed to delete a team to which they are not
-    related.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory()
-
-    response = APIClient().delete(
-        f"/api/v1.0/teams/{team.id!s}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
-    )
-
-    assert response.status_code == 404
-    assert response.json() == {"detail": "Not found."}
-    assert models.Team.objects.count() == 1
-
-
-def test_api_teams_delete_authenticated_member():
-    """
-    Authenticated users should not be allowed to delete a team for which they are
-    only a member.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "member")])
-
-    response = APIClient().delete(
-        f"/api/v1.0/teams/{team.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
-    )
-
-    assert response.status_code == 403
-    assert response.json() == {
-        "detail": "You do not have permission to perform this action."
-    }
-    assert models.Team.objects.count() == 1
-
-
-def test_api_teams_delete_authenticated_administrator():
-    """
-    Authenticated users should not be allowed to delete a team for which they are
-    administrator.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "administrator")])
-
-    response = APIClient().delete(
-        f"/api/v1.0/teams/{team.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
-    )
-
-    assert response.status_code == 403
-    assert response.json() == {
-        "detail": "You do not have permission to perform this action."
-    }
-    assert models.Team.objects.count() == 1
-
-
-def test_api_teams_delete_authenticated_owner():
-    """
-    Authenticated users should be able to delete a team for which they are directly
-    owner.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "owner")])
-
-    response = APIClient().delete(
-        f"/api/v1.0/teams/{team.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
-    )
-
-    assert response.status_code == 204
-    assert models.Team.objects.exists() is False

src/backend/core/tests/teams/test_core_api_teams_list.py

@@ -1,118 +0,0 @@
-"""
-Tests for Teams API endpoint in publish's core app: list
-"""
-from unittest import mock
-
-import pytest
-from rest_framework.pagination import PageNumberPagination
-from rest_framework.status import HTTP_200_OK, HTTP_401_UNAUTHORIZED
-from rest_framework.test import APIClient
-
-from core import factories, models
-from core.api import serializers
-
-from ..utils import OIDCToken
-
-pytestmark = pytest.mark.django_db
-
-
-def test_api_teams_list_anonymous():
-    """Anonymous users should not be allowed to list teams."""
-    factories.TeamFactory.create_batch(2)
-
-    response = APIClient().get("/api/v1.0/teams/")
-
-    assert response.status_code == HTTP_401_UNAUTHORIZED
-    assert response.json() == {
-        "detail": "Authentication credentials were not provided."
-    }
-
-
-def test_api_teams_list_authenticated():
-    """Authenticated users should be able to list teams they are an owner/administrator/member of."""
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    expected_ids = {
-        str(access.team.id)
-        for access in factories.TeamAccessFactory.create_batch(5, user=user)
-    }
-    factories.TeamFactory.create_batch(2)  # Other teams
-
-    response = APIClient().get(
-        "/api/v1.0/teams/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
-    )
-
-    assert response.status_code == HTTP_200_OK
-    results = response.json()["results"]
-    assert len(results) == 5
-    results_id = {result["id"] for result in results}
-    assert expected_ids == results_id
-
-
-@mock.patch.object(PageNumberPagination, "get_page_size", return_value=2)
-def test_api_teams_list_pagination(
-    _mock_page_size,
-):
-    """Pagination should work as expected."""
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team_ids = [
-        str(access.team.id)
-        for access in factories.TeamAccessFactory.create_batch(3, user=user)
-    ]
-
-    # Get page 1
-    response = APIClient().get(
-        "/api/v1.0/teams/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
-    )
-
-    assert response.status_code == HTTP_200_OK
-    content = response.json()
-
-    assert content["count"] == 3
-    assert content["next"] == "http://testserver/api/v1.0/teams/?page=2"
-    assert content["previous"] is None
-
-    assert len(content["results"]) == 2
-    for item in content["results"]:
-        team_ids.remove(item["id"])
-
-    # Get page 2
-    response = APIClient().get(
-        "/api/v1.0/teams/?page=2", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
-    )
-
-    assert response.status_code == HTTP_200_OK
-    content = response.json()
-
-    assert content["count"] == 3
-    assert content["next"] is None
-    assert content["previous"] == "http://testserver/api/v1.0/teams/"
-
-    assert len(content["results"]) == 1
-    team_ids.remove(content["results"][0]["id"])
-    assert team_ids == []
-
-
-def test_api_teams_list_authenticated_distinct():
-    """A team with several related users should only be listed once."""
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    other_user = factories.UserFactory()
-
-    team = factories.TeamFactory(users=[user, other_user])
-
-    response = APIClient().get(
-        "/api/v1.0/teams/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
-    )
-
-    assert response.status_code == HTTP_200_OK
-    content = response.json()
-    assert len(content["results"]) == 1
-    assert content["results"][0]["id"] == str(team.id)

src/backend/core/tests/teams/test_core_api_teams_retrieve.py

@@ -1,86 +0,0 @@
-"""
-Tests for Teams API endpoint in publish's core app: retrieve
-"""
-import random
-from collections import Counter
-from unittest import mock
-
-import pytest
-from rest_framework.test import APIClient
-
-from core import factories
-
-from ..utils import OIDCToken
-
-pytestmark = pytest.mark.django_db
-
-
-def test_api_teams_retrieve_anonymous():
-    """Anonymous users should not be allowed to retrieve a team."""
-    team = factories.TeamFactory()
-    response = APIClient().get(f"/api/v1.0/teams/{team.id}/")
-
-    assert response.status_code == 401
-    assert response.json() == {
-        "detail": "Authentication credentials were not provided."
-    }
-
-
-def test_api_teams_retrieve_authenticated_unrelated():
-    """
-    Authenticated users should not be allowed to retrieve a team to which they are
-    not related.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory()
-
-    response = APIClient().get(
-        f"/api/v1.0/teams/{team.id!s}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
-    )
-    assert response.status_code == 404
-    assert response.json() == {"detail": "Not found."}
-
-
-def test_api_teams_retrieve_authenticated_related():
-    """
-    Authenticated users should be allowed to retrieve a team to which they
-    are related whatever the role.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory()
-    access1 = factories.TeamAccessFactory(team=team, user=user)
-    access2 = factories.TeamAccessFactory(team=team)
-
-    response = APIClient().get(
-        f"/api/v1.0/teams/{team.id!s}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
-    )
-    assert response.status_code == 200
-    content = response.json()
-    assert sorted(content.pop("accesses"), key=lambda x: x["user"]) == sorted(
-        [
-            {
-                "id": str(access1.id),
-                "user": str(user.id),
-                "role": access1.role,
-                "abilities": access1.get_abilities(user),
-            },
-            {
-                "id": str(access2.id),
-                "user": str(access2.user.id),
-                "role": access2.role,
-                "abilities": access2.get_abilities(user),
-            },
-        ],
-        key=lambda x: x["user"],
-    )
-    assert response.json() == {
-        "id": str(team.id),
-        "name": team.name,
-        "abilities": team.get_abilities(user),
-    }

src/backend/core/tests/teams/test_core_api_teams_update.py

@@ -1,176 +0,0 @@
-"""
-Tests for Teams API endpoint in publish's core app: update
-"""
-import random
-
-import pytest
-from rest_framework.test import APIClient
-from rest_framework_simplejwt.tokens import AccessToken
-
-from core import factories, models
-from core.api import serializers
-
-from ..utils import OIDCToken
-
-pytestmark = pytest.mark.django_db
-
-
-def test_api_teams_update_anonymous():
-    """Anonymous users should not be allowed to update a team."""
-    team = factories.TeamFactory()
-    old_team_values = serializers.TeamSerializer(instance=team).data
-
-    new_team_values = serializers.TeamSerializer(instance=factories.TeamFactory()).data
-    response = APIClient().put(
-        f"/api/v1.0/teams/{team.id!s}/",
-        new_team_values,
-        format="json",
-    )
-    assert response.status_code == 401
-    assert response.json() == {
-        "detail": "Authentication credentials were not provided."
-    }
-
-    team.refresh_from_db()
-    team_values = serializers.TeamSerializer(instance=team).data
-    assert team_values == old_team_values
-
-
-def test_api_teams_update_authenticated_unrelated():
-    """
-    Authenticated users should not be allowed to update a team to which they are not related.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory()
-    old_team_values = serializers.TeamSerializer(instance=team).data
-
-    new_team_values = serializers.TeamSerializer(instance=factories.TeamFactory()).data
-    response = APIClient().put(
-        f"/api/v1.0/teams/{team.id!s}/",
-        new_team_values,
-        format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 404
-    assert response.json() == {"detail": "Not found."}
-
-    team.refresh_from_db()
-    team_values = serializers.TeamSerializer(instance=team).data
-    assert team_values == old_team_values
-
-
-def test_api_teams_update_authenticated_members():
-    """
-    Users who are members of a team but not administrators should
-    not be allowed to update it.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "member")])
-    old_team_values = serializers.TeamSerializer(instance=team).data
-
-    new_team_values = serializers.TeamSerializer(instance=factories.TeamFactory()).data
-    response = APIClient().put(
-        f"/api/v1.0/teams/{team.id!s}/",
-        new_team_values,
-        format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 403
-    assert response.json() == {
-        "detail": "You do not have permission to perform this action."
-    }
-
-    team.refresh_from_db()
-    team_values = serializers.TeamSerializer(instance=team).data
-    assert team_values == old_team_values
-
-
-def test_api_teams_update_authenticated_administrators():
-    """Administrators of a team should be allowed to update it."""
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "administrator")])
-    old_team_values = serializers.TeamSerializer(instance=team).data
-
-    new_team_values = serializers.TeamSerializer(instance=factories.TeamFactory()).data
-    response = APIClient().put(
-        f"/api/v1.0/teams/{team.id!s}/",
-        new_team_values,
-        format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-    assert response.status_code == 200
-
-    team.refresh_from_db()
-    team_values = serializers.TeamSerializer(instance=team).data
-    for key, value in team_values.items():
-        if key in ["id", "accesses"]:
-            assert value == old_team_values[key]
-        else:
-            assert value == new_team_values[key]
-
-
-def test_api_teams_update_authenticated_owners():
-    """Administrators of a team should be allowed to update it."""
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "owner")])
-    old_team_values = serializers.TeamSerializer(instance=team).data
-
-    new_team_values = serializers.TeamSerializer(instance=factories.TeamFactory()).data
-    response = APIClient().put(
-        f"/api/v1.0/teams/{team.id!s}/",
-        new_team_values,
-        format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-    assert response.status_code == 200
-
-    team.refresh_from_db()
-    team_values = serializers.TeamSerializer(instance=team).data
-    for key, value in team_values.items():
-        if key in ["id", "accesses"]:
-            assert value == old_team_values[key]
-        else:
-            assert value == new_team_values[key]
-
-
-def test_api_teams_update_administrator_or_owner_of_another():
-    """
-    Being administrator or owner of a team should not grant authorization to update
-    another team.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    factories.TeamFactory(users=[(user, random.choice(["administrator", "owner"]))])
-    team = factories.TeamFactory(name="Old name")
-    old_team_values = serializers.TeamSerializer(instance=team).data
-
-    new_team_values = serializers.TeamSerializer(instance=factories.TeamFactory()).data
-    response = APIClient().put(
-        f"/api/v1.0/teams/{team.id!s}/",
-        new_team_values,
-        format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 404
-    assert response.json() == {"detail": "Not found."}
-
-    team.refresh_from_db()
-    team_values = serializers.TeamSerializer(instance=team).data
-    assert team_values == old_team_values

src/backend/core/tests/templates/test_api_templates_create.py

@@ -0,0 +1,47 @@
+"""
+Tests for Templates API endpoint in publish's core app: create
+"""
+import pytest
+from rest_framework.test import APIClient
+
+from core import factories
+from core.models import Template
+from core.tests.utils import OIDCToken
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_templates_create_anonymous():
+    """Anonymous users should not be allowed to create templates."""
+    response = APIClient().post(
+        "/api/v1.0/templates/",
+        {
+            "title": "my template",
+        },
+    )
+
+    assert response.status_code == 401
+    assert not Template.objects.exists()
+
+
+def test_api_templates_create_authenticated():
+    """
+    Authenticated users should be able to create templates and should automatically be declared
+    as the owner of the newly created template.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    response = APIClient().post(
+        "/api/v1.0/templates/",
+        {
+            "title": "my template",
+        },
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 201
+    template = Template.objects.get()
+    assert template.title == "my template"
+    assert template.accesses.filter(role="owner", user=user).exists()

src/backend/core/tests/templates/test_api_templates_delete.py

@@ -0,0 +1,84 @@
+"""
+Tests for Templates API endpoint in publish's core app: delete
+"""
+import random
+
+import pytest
+from rest_framework.test import APIClient
+
+from core import factories, models
+from core.tests.utils import OIDCToken
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_templates_delete_anonymous():
+    """Anonymous users should not be allowed to destroy a template."""
+    template = factories.TemplateFactory()
+
+    response = APIClient().delete(
+        f"/api/v1.0/templates/{template.id!s}/",
+    )
+
+    assert response.status_code == 401
+    assert models.Template.objects.count() == 1
+
+
+def test_api_templates_delete_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to delete a template to which they are not
+    related.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    is_public = random.choice([True, False])
+    template = factories.TemplateFactory(is_public=is_public)
+
+    response = APIClient().delete(
+        f"/api/v1.0/templates/{template.id!s}/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 403 if is_public else 404
+    assert models.Template.objects.count() == 1
+
+
+@pytest.mark.parametrize("role", ["member", "administrator"])
+def test_api_templates_delete_authenticated_member(role):
+    """
+    Authenticated users should not be allowed to delete a template for which they are
+    only a member.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, role)])
+
+    response = APIClient().delete(
+        f"/api/v1.0/templates/{template.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    )
+
+    assert response.status_code == 403
+    assert response.json() == {
+        "detail": "You do not have permission to perform this action."
+    }
+    assert models.Template.objects.count() == 1
+
+
+def test_api_templates_delete_authenticated_owner():
+    """
+    Authenticated users should be able to delete a template for which they are directly
+    owner.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "owner")])
+
+    response = APIClient().delete(
+        f"/api/v1.0/templates/{template.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    )
+
+    assert response.status_code == 204
+    assert models.Template.objects.exists() is False

src/backend/core/tests/templates/test_api_templates_generate_document.py

@@ -0,0 +1,107 @@
+"""
+Test users API endpoints in the publish core app.
+"""
+import pytest
+from rest_framework.test import APIClient
+
+from core import factories
+from core.tests.utils import OIDCToken
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_templates_generate_document_anonymous_public():
+    """Anonymous users can generate pdf document with public templates."""
+    template = factories.TemplateFactory(is_public=True)
+    data = {
+        "body": "# Test markdown body",
+    }
+
+    response = APIClient().post(
+        f"/api/v1.0/templates/{template.id!s}/generate-document/",
+        data,
+        format="json",
+    )
+
+    assert response.status_code == 200
+    assert response.headers["content-type"] == "application/pdf"
+
+
+def test_api_templates_generate_document_anonymous_not_public():
+    """
+    Anonymous users should not be allowed to generate pdf document with templates
+    that are not marked as public.
+    """
+    template = factories.TemplateFactory(is_public=False)
+    data = {
+        "body": "# Test markdown body",
+    }
+
+    response = APIClient().post(
+        f"/api/v1.0/templates/{template.id!s}/generate-document/",
+        data,
+        format="json",
+    )
+
+    assert response.status_code == 404
+    assert response.json() == {"detail": "Not found."}
+
+
+def test_api_templates_generate_document_authenticated_public():
+    """Authenticated users can generate pdf document with public templates."""
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(is_public=True)
+    data = {"body": "# Test markdown body"}
+
+    response = APIClient().post(
+        f"/api/v1.0/templates/{template.id!s}/generate-document/",
+        data,
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 200
+    assert response.headers["content-type"] == "application/pdf"
+
+
+def test_api_templates_generate_document_authenticated_not_public():
+    """
+    Authenticated users should not be allowed to generate pdf document with templates
+    that are not marked as public.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(is_public=False)
+    data = {"body": "# Test markdown body"}
+
+    response = APIClient().post(
+        f"/api/v1.0/templates/{template.id!s}/generate-document/",
+        data,
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 404
+    assert response.json() == {"detail": "Not found."}
+
+
+def test_api_templates_generate_document_related():
+    """Users related to a template can generate pdf document."""
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    access = factories.TemplateAccessFactory(user=user)
+    data = {"body": "# Test markdown body"}
+
+    response = APIClient().post(
+        f"/api/v1.0/templates/{access.template.id!s}/generate-document/",
+        data,
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 200
+    assert response.headers["content-type"] == "application/pdf"

src/backend/core/tests/templates/test_api_templates_list.py

@@ -0,0 +1,124 @@
+"""
+Tests for Templates API endpoint in publish's core app: list
+"""
+from unittest import mock
+
+import pytest
+from rest_framework.pagination import PageNumberPagination
+from rest_framework.status import HTTP_200_OK
+from rest_framework.test import APIClient
+
+from core import factories
+from core.tests.utils import OIDCToken
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_templates_list_anonymous():
+    """Anonymous users should only be able to list public templates."""
+    factories.TemplateFactory.create_batch(2, is_public=False)
+    templates = factories.TemplateFactory.create_batch(2, is_public=True)
+    expected_ids = {str(template.id) for template in templates}
+
+    response = APIClient().get("/api/v1.0/templates/")
+
+    assert response.status_code == HTTP_200_OK
+    results = response.json()["results"]
+    assert len(results) == 2
+    results_id = {result["id"] for result in results}
+    assert expected_ids == results_id
+
+
+def test_api_templates_list_authenticated():
+    """
+    Authenticated users should be able to list templates they are
+    an owner/administrator/member of.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    related_templates = [
+        access.template
+        for access in factories.TemplateAccessFactory.create_batch(5, user=user)
+    ]
+    public_templates = factories.TemplateFactory.create_batch(2, is_public=True)
+    factories.TemplateFactory.create_batch(2, is_public=False)
+
+    expected_ids = {
+        str(template.id) for template in related_templates + public_templates
+    }
+
+    response = APIClient().get(
+        "/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    )
+
+    assert response.status_code == HTTP_200_OK
+    results = response.json()["results"]
+    assert len(results) == 7
+    results_id = {result["id"] for result in results}
+    assert expected_ids == results_id
+
+
+@mock.patch.object(PageNumberPagination, "get_page_size", return_value=2)
+def test_api_templates_list_pagination(
+    _mock_page_size,
+):
+    """Pagination should work as expected."""
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template_ids = [
+        str(access.template.id)
+        for access in factories.TemplateAccessFactory.create_batch(3, user=user)
+    ]
+
+    # Get page 1
+    response = APIClient().get(
+        "/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    )
+
+    assert response.status_code == HTTP_200_OK
+    content = response.json()
+
+    assert content["count"] == 3
+    assert content["next"] == "http://testserver/api/v1.0/templates/?page=2"
+    assert content["previous"] is None
+
+    assert len(content["results"]) == 2
+    for item in content["results"]:
+        template_ids.remove(item["id"])
+
+    # Get page 2
+    response = APIClient().get(
+        "/api/v1.0/templates/?page=2", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    )
+
+    assert response.status_code == HTTP_200_OK
+    content = response.json()
+
+    assert content["count"] == 3
+    assert content["next"] is None
+    assert content["previous"] == "http://testserver/api/v1.0/templates/"
+
+    assert len(content["results"]) == 1
+    template_ids.remove(content["results"][0]["id"])
+    assert template_ids == []
+
+
+def test_api_templates_list_authenticated_distinct():
+    """A template with several related users should only be listed once."""
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    other_user = factories.UserFactory()
+
+    template = factories.TemplateFactory(users=[user, other_user], is_public=True)
+
+    response = APIClient().get(
+        "/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    )
+
+    assert response.status_code == HTTP_200_OK
+    content = response.json()
+    assert len(content["results"]) == 1
+    assert content["results"][0]["id"] == str(template.id)

src/backend/core/tests/templates/test_api_templates_retrieve.py

@@ -0,0 +1,130 @@
+"""
+Tests for Templates API endpoint in publish's core app: retrieve
+"""
+import pytest
+from rest_framework.test import APIClient
+
+from core import factories
+from core.tests.utils import OIDCToken
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_templates_retrieve_anonymous_public():
+    """Anonymous users should be allowed to retrieve public templates."""
+    template = factories.TemplateFactory(is_public=True)
+
+    response = APIClient().get(f"/api/v1.0/templates/{template.id!s}/")
+
+    assert response.status_code == 200
+    assert response.json() == {
+        "id": str(template.id),
+        "abilities": {
+            "destroy": False,
+            "generate_document": True,
+            "manage_accesses": False,
+            "retrieve": True,
+            "update": False,
+        },
+        "accesses": [],
+        "title": template.title,
+    }
+
+
+def test_api_templates_retrieve_anonymous_not_public():
+    """Anonymous users should not be able to retrieve a template that is not public."""
+    template = factories.TemplateFactory(is_public=False)
+
+    response = APIClient().get(f"/api/v1.0/templates/{template.id!s}/")
+
+    assert response.status_code == 404
+    assert response.json() == {"detail": "Not found."}
+
+
+def test_api_templates_retrieve_authenticated_unrelated_public():
+    """
+    Authenticated users should be able to retrieve a public template to which they are
+    not related.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(is_public=True)
+
+    response = APIClient().get(
+        f"/api/v1.0/templates/{template.id!s}/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+    assert response.status_code == 200
+    assert response.json() == {
+        "id": str(template.id),
+        "abilities": {
+            "destroy": False,
+            "generate_document": True,
+            "manage_accesses": False,
+            "retrieve": True,
+            "update": False,
+        },
+        "accesses": [],
+        "title": template.title,
+    }
+
+
+def test_api_templates_retrieve_authenticated_unrelated_not_public():
+    """
+    Authenticated users should not be allowed to retrieve a template that is not public and
+    to which they are not related.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(is_public=False)
+
+    response = APIClient().get(
+        f"/api/v1.0/templates/{template.id!s}/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+    assert response.status_code == 404
+    assert response.json() == {"detail": "Not found."}
+
+
+def test_api_templates_retrieve_authenticated_related():
+    """
+    Authenticated users should be allowed to retrieve a template to which they
+    are related whatever the role.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory()
+    access1 = factories.TemplateAccessFactory(template=template, user=user)
+    access2 = factories.TemplateAccessFactory(template=template)
+
+    response = APIClient().get(
+        f"/api/v1.0/templates/{template.id!s}/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+    assert response.status_code == 200
+    content = response.json()
+    assert sorted(content.pop("accesses"), key=lambda x: x["user"]) == sorted(
+        [
+            {
+                "id": str(access1.id),
+                "user": str(user.id),
+                "role": access1.role,
+                "abilities": access1.get_abilities(user),
+            },
+            {
+                "id": str(access2.id),
+                "user": str(access2.user.id),
+                "role": access2.role,
+                "abilities": access2.get_abilities(user),
+            },
+        ],
+        key=lambda x: x["user"],
+    )
+    assert response.json() == {
+        "id": str(template.id),
+        "title": template.title,
+        "abilities": template.get_abilities(user),
+    }

src/backend/core/tests/templates/test_api_templates_update.py

@@ -0,0 +1,154 @@
+"""
+Tests for Templates API endpoint in publish's core app: update
+"""
+import random
+
+import pytest
+from rest_framework.test import APIClient
+
+from core import factories
+from core.api import serializers
+from core.tests.utils import OIDCToken
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_templates_update_anonymous():
+    """Anonymous users should not be allowed to update a template."""
+    template = factories.TemplateFactory()
+    old_template_values = serializers.TemplateSerializer(instance=template).data
+
+    new_template_values = serializers.TemplateSerializer(
+        instance=factories.TemplateFactory()
+    ).data
+    response = APIClient().put(
+        f"/api/v1.0/templates/{template.id!s}/",
+        new_template_values,
+        format="json",
+    )
+    assert response.status_code == 401
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+    template.refresh_from_db()
+    template_values = serializers.TemplateSerializer(instance=template).data
+    assert template_values == old_template_values
+
+
+def test_api_templates_update_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to update a template to which they are not related.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(is_public=False)
+    old_template_values = serializers.TemplateSerializer(instance=template).data
+
+    new_template_values = serializers.TemplateSerializer(
+        instance=factories.TemplateFactory()
+    ).data
+    response = APIClient().put(
+        f"/api/v1.0/templates/{template.id!s}/",
+        new_template_values,
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 404
+    assert response.json() == {"detail": "Not found."}
+
+    template.refresh_from_db()
+    template_values = serializers.TemplateSerializer(instance=template).data
+    assert template_values == old_template_values
+
+
+def test_api_templates_update_authenticated_members():
+    """
+    Users who are members of a template but not administrators should
+    not be allowed to update it.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "member")])
+    old_template_values = serializers.TemplateSerializer(instance=template).data
+
+    new_template_values = serializers.TemplateSerializer(
+        instance=factories.TemplateFactory()
+    ).data
+    response = APIClient().put(
+        f"/api/v1.0/templates/{template.id!s}/",
+        new_template_values,
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 403
+    assert response.json() == {
+        "detail": "You do not have permission to perform this action."
+    }
+
+    template.refresh_from_db()
+    template_values = serializers.TemplateSerializer(instance=template).data
+    assert template_values == old_template_values
+
+
+@pytest.mark.parametrize("role", ["administrator", "owner"])
+def test_api_templates_update_authenticated_administrators(role):
+    """Administrators of a template should be allowed to update it."""
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, role)])
+    old_template_values = serializers.TemplateSerializer(instance=template).data
+
+    new_template_values = serializers.TemplateSerializer(
+        instance=factories.TemplateFactory()
+    ).data
+    response = APIClient().put(
+        f"/api/v1.0/templates/{template.id!s}/",
+        new_template_values,
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+    assert response.status_code == 200
+
+    template.refresh_from_db()
+    template_values = serializers.TemplateSerializer(instance=template).data
+    for key, value in template_values.items():
+        if key in ["id", "accesses"]:
+            assert value == old_template_values[key]
+        else:
+            assert value == new_template_values[key]
+
+
+def test_api_templates_update_administrator_or_owner_of_another():
+    """
+    Being administrator or owner of a template should not grant authorization to update
+    another template.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    factories.TemplateFactory(users=[(user, random.choice(["administrator", "owner"]))])
+    is_public = random.choice([True, False])
+    template = factories.TemplateFactory(title="Old title", is_public=is_public)
+    old_template_values = serializers.TemplateSerializer(instance=template).data
+
+    new_template_values = serializers.TemplateSerializer(
+        instance=factories.TemplateFactory()
+    ).data
+    response = APIClient().put(
+        f"/api/v1.0/templates/{template.id!s}/",
+        new_template_values,
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 403 if is_public else 404
+
+    template.refresh_from_db()
+    template_values = serializers.TemplateSerializer(instance=template).data
+    assert template_values == old_template_values

src/backend/core/tests/test_api_team_accesses.py

@@ -1,843 +0,0 @@
-"""
-Test team accesses API endpoints for users in publish's core app.
-"""
-import random
-from uuid import uuid4
-
-import pytest
-from rest_framework.test import APIClient
-
-from core import factories, models
-from core.api import serializers
-
-from .utils import OIDCToken
-
-pytestmark = pytest.mark.django_db
-
-
-def test_api_team_accesses_list_anonymous():
-    """Anonymous users should not be allowed to list team accesses."""
-    team = factories.TeamFactory()
-    factories.TeamAccessFactory.create_batch(2, team=team)
-
-    response = APIClient().get(f"/api/v1.0/teams/{team.id!s}/accesses/")
-    assert response.status_code == 401
-    assert response.json() == {
-        "detail": "Authentication credentials were not provided."
-    }
-
-
-def test_api_team_accesses_list_authenticated_unrelated():
-    """
-    Authenticated users should not be allowed to list team accesses for a team
-    to which they are not related.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory()
-    factories.TeamAccessFactory.create_batch(3, team=team)
-
-    # Accesses for other teams to which the user is related should not be listed either
-    other_access = factories.TeamAccessFactory(user=user)
-    factories.TeamAccessFactory(team=other_access.team)
-
-    response = APIClient().get(
-        f"/api/v1.0/teams/{team.id!s}/accesses/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-    assert response.status_code == 200
-    assert response.json() == {
-        "count": 0,
-        "next": None,
-        "previous": None,
-        "results": [],
-    }
-
-
-def test_api_team_accesses_list_authenticated_related():
-    """
-    Authenticated users should be able to list team accesses for a team
-    to which they are related, whatever their role in the team.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory()
-    user_access = models.TeamAccess.objects.create(team=team, user=user)  # random role
-    access1, access2 = factories.TeamAccessFactory.create_batch(2, team=team)
-
-    # Accesses for other teams to which the user is related should not be listed either
-    other_access = factories.TeamAccessFactory(user=user)
-    factories.TeamAccessFactory(team=other_access.team)
-
-    response = APIClient().get(
-        f"/api/v1.0/teams/{team.id!s}/accesses/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 200
-    content = response.json()
-    assert len(content["results"]) == 3
-    assert sorted(content["results"], key=lambda x: x["id"]) == sorted(
-        [
-            {
-                "id": str(user_access.id),
-                "user": str(user.id),
-                "role": user_access.role,
-                "abilities": user_access.get_abilities(user),
-            },
-            {
-                "id": str(access1.id),
-                "user": str(access1.user.id),
-                "role": access1.role,
-                "abilities": access1.get_abilities(user),
-            },
-            {
-                "id": str(access2.id),
-                "user": str(access2.user.id),
-                "role": access2.role,
-                "abilities": access2.get_abilities(user),
-            },
-        ],
-        key=lambda x: x["id"],
-    )
-
-
-def test_api_team_accesses_retrieve_anonymous():
-    """
-    Anonymous users should not be allowed to retrieve a team access.
-    """
-    access = factories.TeamAccessFactory()
-
-    response = APIClient().get(
-        f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
-    )
-
-    assert response.status_code == 401
-    assert response.json() == {
-        "detail": "Authentication credentials were not provided."
-    }
-
-
-def test_api_team_accesses_retrieve_authenticated_unrelated():
-    """
-    Authenticated users should not be allowed to retrieve a team access for
-    a team to which they are not related.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory()
-    access = factories.TeamAccessFactory(team=team)
-
-    response = APIClient().get(
-        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-    assert response.status_code == 403
-    assert response.json() == {
-        "detail": "You do not have permission to perform this action."
-    }
-
-    # Accesses related to another team should be excluded even if the user is related to it
-    for access in [
-        factories.TeamAccessFactory(),
-        factories.TeamAccessFactory(user=user),
-    ]:
-        response = APIClient().get(
-            f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-        )
-
-        assert response.status_code == 404
-        assert response.json() == {"detail": "Not found."}
-
-
-def test_api_team_accesses_retrieve_authenticated_related():
-    """
-    A user who is related to a team should be allowed to retrieve the
-    associated team user accesses.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[user])
-    access = factories.TeamAccessFactory(team=team)
-
-    response = APIClient().get(
-        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 200
-    assert response.json() == {
-        "id": str(access.id),
-        "user": str(access.user.id),
-        "role": access.role,
-        "abilities": access.get_abilities(user),
-    }
-
-
-def test_api_team_accesses_create_anonymous():
-    """Anonymous users should not be allowed to create team accesses."""
-    user = factories.UserFactory()
-    team = factories.TeamFactory()
-
-    response = APIClient().post(
-        f"/api/v1.0/teams/{team.id!s}/accesses/",
-        {
-            "user": str(user.id),
-            "team": str(team.id),
-            "role": random.choice(models.RoleChoices.choices)[0],
-        },
-        format="json",
-    )
-    assert response.status_code == 401
-    assert response.json() == {
-        "detail": "Authentication credentials were not provided."
-    }
-    assert models.TeamAccess.objects.exists() is False
-
-
-def test_api_team_accesses_create_authenticated_unrelated():
-    """
-    Authenticated users should not be allowed to create team accesses for a team to
-    which they are not related.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    other_user = factories.UserFactory()
-    team = factories.TeamFactory()
-
-    response = APIClient().post(
-        f"/api/v1.0/teams/{team.id!s}/accesses/",
-        {
-            "user": str(other_user.id),
-        },
-        format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 403
-    assert response.json() == {
-        "detail": "You are not allowed to manage accesses for this team."
-    }
-    assert not models.TeamAccess.objects.filter(user=other_user).exists()
-
-
-def test_api_team_accesses_create_authenticated_member():
-    """Members of a team should not be allowed to create team accesses."""
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "member")])
-    other_user = factories.UserFactory()
-
-    api_client = APIClient()
-    for role in [role[0] for role in models.RoleChoices.choices]:
-        response = api_client.post(
-            f"/api/v1.0/teams/{team.id!s}/accesses/",
-            {
-                "user": str(other_user.id),
-                "role": role,
-            },
-            format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-        )
-
-        assert response.status_code == 403
-        assert response.json() == {
-            "detail": "You are not allowed to manage accesses for this team."
-        }
-
-    assert not models.TeamAccess.objects.filter(user=other_user).exists()
-
-
-def test_api_team_accesses_create_authenticated_administrator():
-    """
-    Administrators of a team should be able to create team accesses except for the "owner" role.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "administrator")])
-    other_user = factories.UserFactory()
-
-    api_client = APIClient()
-
-    # It should not be allowed to create an owner access
-    response = api_client.post(
-        f"/api/v1.0/teams/{team.id!s}/accesses/",
-        {
-            "user": str(other_user.id),
-            "role": "owner",
-        },
-        format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 403
-    assert response.json() == {
-        "detail": "Only owners of a team can assign other users as owners."
-    }
-
-    # It should be allowed to create a lower access
-    role = random.choice(
-        [role[0] for role in models.RoleChoices.choices if role[0] != "owner"]
-    )
-
-    response = api_client.post(
-        f"/api/v1.0/teams/{team.id!s}/accesses/",
-        {
-            "user": str(other_user.id),
-            "role": role,
-        },
-        format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 201
-    assert models.TeamAccess.objects.filter(user=other_user).count() == 1
-    new_team_access = models.TeamAccess.objects.filter(user=other_user).get()
-    assert response.json() == {
-        "abilities": new_team_access.get_abilities(user),
-        "id": str(new_team_access.id),
-        "role": role,
-        "user": str(other_user.id),
-    }
-
-
-def test_api_team_accesses_create_authenticated_owner():
-    """
-    Owners of a team should be able to create team accesses whatever the role.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "owner")])
-    other_user = factories.UserFactory()
-
-    role = random.choice([role[0] for role in models.RoleChoices.choices])
-
-    response = APIClient().post(
-        f"/api/v1.0/teams/{team.id!s}/accesses/",
-        {
-            "user": str(other_user.id),
-            "role": role,
-        },
-        format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 201
-    assert models.TeamAccess.objects.filter(user=other_user).count() == 1
-    new_team_access = models.TeamAccess.objects.filter(user=other_user).get()
-    assert response.json() == {
-        "abilities": new_team_access.get_abilities(user),
-        "id": str(new_team_access.id),
-        "role": role,
-        "user": str(other_user.id),
-    }
-
-
-def test_api_team_accesses_update_anonymous():
-    """Anonymous users should not be allowed to update a team access."""
-    access = factories.TeamAccessFactory()
-    old_values = serializers.TeamAccessSerializer(instance=access).data
-
-    new_values = {
-        "id": uuid4(),
-        "user": factories.UserFactory().id,
-        "role": random.choice(models.RoleChoices.choices)[0],
-    }
-
-    api_client = APIClient()
-    for field, value in new_values.items():
-        response = api_client.put(
-            f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
-            {**old_values, field: value},
-            format="json",
-        )
-        assert response.status_code == 401
-
-    access.refresh_from_db()
-    updated_values = serializers.TeamAccessSerializer(instance=access).data
-    assert updated_values == old_values
-
-
-def test_api_team_accesses_update_authenticated_unrelated():
-    """
-    Authenticated users should not be allowed to update a team access for a team to which
-    they are not related.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    access = factories.TeamAccessFactory()
-    old_values = serializers.TeamAccessSerializer(instance=access).data
-
-    new_values = {
-        "id": uuid4(),
-        "user": factories.UserFactory().id,
-        "role": random.choice(models.RoleChoices.choices)[0],
-    }
-
-    api_client = APIClient()
-    for field, value in new_values.items():
-        response = api_client.put(
-            f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
-            {**old_values, field: value},
-            format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-        )
-        assert response.status_code == 403
-
-    access.refresh_from_db()
-    updated_values = serializers.TeamAccessSerializer(instance=access).data
-    assert updated_values == old_values
-
-
-def test_api_team_accesses_update_authenticated_member():
-    """Members of a team should not be allowed to update its accesses."""
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "member")])
-    access = factories.TeamAccessFactory(team=team)
-    old_values = serializers.TeamAccessSerializer(instance=access).data
-
-    new_values = {
-        "id": uuid4(),
-        "user": factories.UserFactory().id,
-        "role": random.choice(models.RoleChoices.choices)[0],
-    }
-
-    api_client = APIClient()
-    for field, value in new_values.items():
-        response = api_client.put(
-            f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
-            {**old_values, field: value},
-            format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-        )
-        assert response.status_code == 403
-
-    access.refresh_from_db()
-    updated_values = serializers.TeamAccessSerializer(instance=access).data
-    assert updated_values == old_values
-
-
-def test_api_team_accesses_update_administrator_except_owner():
-    """
-    A user who is an administrator in a team should be allowed to update a user
-    access for this team, as long as they don't try to set the role to owner.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "administrator")])
-    access = factories.TeamAccessFactory(
-        team=team,
-        role=random.choice(["administrator", "member"]),
-    )
-    old_values = serializers.TeamAccessSerializer(instance=access).data
-
-    new_values = {
-        "id": uuid4(),
-        "user_id": factories.UserFactory().id,
-        "role": random.choice(["administrator", "member"]),
-    }
-
-    api_client = APIClient()
-    for field, value in new_values.items():
-        new_data = {**old_values, field: value}
-        response = api_client.put(
-            f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-            data=new_data,
-            format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-        )
-
-        if (
-            new_data["role"] == old_values["role"]
-        ):  # we are not really updating the role
-            assert response.status_code == 403
-        else:
-            assert response.status_code == 200
-
-        access.refresh_from_db()
-        updated_values = serializers.TeamAccessSerializer(instance=access).data
-        if field == "role":
-            assert updated_values == {**old_values, "role": new_values["role"]}
-        else:
-            assert updated_values == old_values
-
-
-def test_api_team_accesses_update_administrator_from_owner():
-    """
-    A user who is an administrator in a team, should not be allowed to update
-    the user access of an "owner" for this team.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "administrator")])
-    other_user = factories.UserFactory()
-    access = factories.TeamAccessFactory(team=team, user=other_user, role="owner")
-    old_values = serializers.TeamAccessSerializer(instance=access).data
-
-    new_values = {
-        "id": uuid4(),
-        "user_id": factories.UserFactory().id,
-        "role": random.choice(models.RoleChoices.choices)[0],
-    }
-
-    api_client = APIClient()
-    for field, value in new_values.items():
-        response = api_client.put(
-            f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-            data={**old_values, field: value},
-            format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-        )
-        assert response.status_code == 403
-        access.refresh_from_db()
-        updated_values = serializers.TeamAccessSerializer(instance=access).data
-        assert updated_values == old_values
-
-
-def test_api_team_accesses_update_administrator_to_owner():
-    """
-    A user who is an administrator in a team, should not be allowed to update
-    the user access of another user to grant team ownership.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "administrator")])
-    other_user = factories.UserFactory()
-    access = factories.TeamAccessFactory(
-        team=team,
-        user=other_user,
-        role=random.choice(["administrator", "member"]),
-    )
-    old_values = serializers.TeamAccessSerializer(instance=access).data
-
-    new_values = {
-        "id": uuid4(),
-        "user_id": factories.UserFactory().id,
-        "role": "owner",
-    }
-
-    api_client = APIClient()
-    for field, value in new_values.items():
-        new_data = {**old_values, field: value}
-        response = api_client.put(
-            f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-            data=new_data,
-            format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-        )
-        # We are not allowed or not really updating the role
-        if field == "role" or new_data["role"] == old_values["role"]:
-            assert response.status_code == 403
-        else:
-            assert response.status_code == 200
-
-        access.refresh_from_db()
-        updated_values = serializers.TeamAccessSerializer(instance=access).data
-        assert updated_values == old_values
-
-
-def test_api_team_accesses_update_owner_except_owner():
-    """
-    A user who is an owner in a team should be allowed to update
-    a user access for this team except for existing "owner" accesses.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "owner")])
-    factories.UserFactory()
-    access = factories.TeamAccessFactory(
-        team=team,
-        role=random.choice(["administrator", "member"]),
-    )
-    old_values = serializers.TeamAccessSerializer(instance=access).data
-
-    new_values = {
-        "id": uuid4(),
-        "user_id": factories.UserFactory().id,
-        "role": random.choice(models.RoleChoices.choices)[0],
-    }
-
-    api_client = APIClient()
-    for field, value in new_values.items():
-        new_data = {**old_values, field: value}
-        response = api_client.put(
-            f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-            data=new_data,
-            format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-        )
-
-        if (
-            new_data["role"] == old_values["role"]
-        ):  # we are not really updating the role
-            assert response.status_code == 403
-        else:
-            assert response.status_code == 200
-
-        access.refresh_from_db()
-        updated_values = serializers.TeamAccessSerializer(instance=access).data
-
-        if field == "role":
-            assert updated_values == {**old_values, "role": new_values["role"]}
-        else:
-            assert updated_values == old_values
-
-
-def test_api_team_accesses_update_owner_for_owners():
-    """
-    A user who is "owner" of a team should not be allowed to update
-    an existing owner access for this team.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "owner")])
-    access = factories.TeamAccessFactory(team=team, role="owner")
-    old_values = serializers.TeamAccessSerializer(instance=access).data
-
-    new_values = {
-        "id": uuid4(),
-        "user_id": factories.UserFactory().id,
-        "role": random.choice(models.RoleChoices.choices)[0],
-    }
-
-    api_client = APIClient()
-    for field, value in new_values.items():
-        response = api_client.put(
-            f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-            data={**old_values, field: value},
-            content_type="application/json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-        )
-        assert response.status_code == 403
-        access.refresh_from_db()
-        updated_values = serializers.TeamAccessSerializer(instance=access).data
-        assert updated_values == old_values
-
-
-def test_api_team_accesses_update_owner_self():
-    """
-    A user who is owner of a team should be allowed to update
-    their own user access provided there are other owners in the team.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory()
-    access = factories.TeamAccessFactory(team=team, user=user, role="owner")
-    old_values = serializers.TeamAccessSerializer(instance=access).data
-    new_role = random.choice(["administrator", "member"])
-
-    api_client = APIClient()
-    response = api_client.put(
-        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-        data={**old_values, "role": new_role},
-        format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 403
-    access.refresh_from_db()
-    assert access.role == "owner"
-
-    # Add another owner and it should now work
-    factories.TeamAccessFactory(team=team, role="owner")
-
-    response = api_client.put(
-        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-        data={**old_values, "role": new_role},
-        format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 200
-    access.refresh_from_db()
-    assert access.role == new_role
-
-
-# Delete
-
-
-def test_api_team_accesses_delete_anonymous():
-    """Anonymous users should not be allowed to destroy a team access."""
-    access = factories.TeamAccessFactory()
-
-    response = APIClient().delete(
-        f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
-    )
-
-    assert response.status_code == 401
-    assert models.TeamAccess.objects.count() == 1
-
-
-def test_api_team_accesses_delete_authenticated():
-    """
-    Authenticated users should not be allowed to delete a team access for a
-    team to which they are not related.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    access = factories.TeamAccessFactory()
-
-    response = APIClient().delete(
-        f"/api/v1.0/teams/{access.team.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 403
-    assert models.TeamAccess.objects.count() == 1
-
-
-def test_api_team_accesses_delete_member():
-    """
-    Authenticated users should not be allowed to delete a team access for a
-    team in which they are a simple member.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "member")])
-    access = factories.TeamAccessFactory(team=team)
-
-    assert models.TeamAccess.objects.count() == 2
-    assert models.TeamAccess.objects.filter(user=access.user).exists()
-
-    response = APIClient().delete(
-        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 403
-    assert models.TeamAccess.objects.count() == 2
-
-
-def test_api_team_accesses_delete_administrators():
-    """
-    Users who are administrators in a team should be allowed to delete an access
-    from the team provided it is not ownership.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "administrator")])
-    access = factories.TeamAccessFactory(
-        team=team, role=random.choice(["member", "administrator"])
-    )
-
-    assert models.TeamAccess.objects.count() == 2
-    assert models.TeamAccess.objects.filter(user=access.user).exists()
-
-    response = APIClient().delete(
-        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 204
-    assert models.TeamAccess.objects.count() == 1
-
-
-def test_api_team_accesses_delete_owners_except_owners():
-    """
-    Users should be able to delete the team access of another user
-    for a team of which they are owner provided it is not an owner access.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "owner")])
-    access = factories.TeamAccessFactory(
-        team=team, role=random.choice(["member", "administrator"])
-    )
-
-    assert models.TeamAccess.objects.count() == 2
-    assert models.TeamAccess.objects.filter(user=access.user).exists()
-
-    response = APIClient().delete(
-        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 204
-    assert models.TeamAccess.objects.count() == 1
-
-
-def test_api_team_accesses_delete_owners_for_owners():
-    """
-    Users should not be allowed to delete the team access of another owner
-    even for a team in which they are direct owner.
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory(users=[(user, "owner")])
-    access = factories.TeamAccessFactory(team=team, role="owner")
-
-    assert models.TeamAccess.objects.count() == 2
-    assert models.TeamAccess.objects.filter(user=access.user).exists()
-
-    response = APIClient().delete(
-        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 403
-    assert models.TeamAccess.objects.count() == 2
-
-
-def test_api_team_accesses_delete_owners_last_owner():
-    """
-    It should not be possible to delete the last owner access from a team
-    """
-    identity = factories.IdentityFactory()
-    user = identity.user
-    jwt_token = OIDCToken.for_user(user)
-
-    team = factories.TeamFactory()
-    access = factories.TeamAccessFactory(team=team, user=user, role="owner")
-
-    assert models.TeamAccess.objects.count() == 1
-    response = APIClient().delete(
-        f"/api/v1.0/teams/{team.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
-    )
-
-    assert response.status_code == 403
-    assert models.TeamAccess.objects.count() == 1

src/backend/core/tests/test_api_template_accesses.py

@@ -0,0 +1,791 @@
+"""
+Test template accesses API endpoints for users in publish's core app.
+"""
+import random
+from uuid import uuid4
+
+import pytest
+from rest_framework.test import APIClient
+
+from core import factories, models
+from core.api import serializers
+
+from .utils import OIDCToken
+
+pytestmark = pytest.mark.django_db
+
+
+def test_api_template_accesses_list_anonymous():
+    """Anonymous users should not be allowed to list template accesses."""
+    template = factories.TemplateFactory()
+    factories.TemplateAccessFactory.create_batch(2, template=template)
+
+    response = APIClient().get(f"/api/v1.0/templates/{template.id!s}/accesses/")
+    assert response.status_code == 401
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+
+def test_api_template_accesses_list_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to list template accesses for a template
+    to which they are not related.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory()
+    factories.TemplateAccessFactory.create_batch(3, template=template)
+
+    # Accesses for other templates to which the user is related should not be listed either
+    other_access = factories.TemplateAccessFactory(user=user)
+    factories.TemplateAccessFactory(template=other_access.template)
+
+    response = APIClient().get(
+        f"/api/v1.0/templates/{template.id!s}/accesses/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+    assert response.status_code == 200
+    assert response.json() == {
+        "count": 0,
+        "next": None,
+        "previous": None,
+        "results": [],
+    }
+
+
+def test_api_template_accesses_list_authenticated_related():
+    """
+    Authenticated users should be able to list template accesses for a template
+    to which they are related, whatever their role in the template.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory()
+    user_access = models.TemplateAccess.objects.create(
+        template=template, user=user
+    )  # random role
+    access1, access2 = factories.TemplateAccessFactory.create_batch(
+        2, template=template
+    )
+
+    # Accesses for other templates to which the user is related should not be listed either
+    other_access = factories.TemplateAccessFactory(user=user)
+    factories.TemplateAccessFactory(template=other_access.template)
+
+    response = APIClient().get(
+        f"/api/v1.0/templates/{template.id!s}/accesses/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 200
+    content = response.json()
+    assert len(content["results"]) == 3
+    assert sorted(content["results"], key=lambda x: x["id"]) == sorted(
+        [
+            {
+                "id": str(user_access.id),
+                "user": str(user.id),
+                "role": user_access.role,
+                "abilities": user_access.get_abilities(user),
+            },
+            {
+                "id": str(access1.id),
+                "user": str(access1.user.id),
+                "role": access1.role,
+                "abilities": access1.get_abilities(user),
+            },
+            {
+                "id": str(access2.id),
+                "user": str(access2.user.id),
+                "role": access2.role,
+                "abilities": access2.get_abilities(user),
+            },
+        ],
+        key=lambda x: x["id"],
+    )
+
+
+def test_api_template_accesses_retrieve_anonymous():
+    """
+    Anonymous users should not be allowed to retrieve a template access.
+    """
+    access = factories.TemplateAccessFactory()
+
+    response = APIClient().get(
+        f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/",
+    )
+
+    assert response.status_code == 401
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+
+
+def test_api_template_accesses_retrieve_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to retrieve a template access for
+    a template to which they are not related.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory()
+    access = factories.TemplateAccessFactory(template=template)
+
+    response = APIClient().get(
+        f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+    assert response.status_code == 403
+    assert response.json() == {
+        "detail": "You do not have permission to perform this action."
+    }
+
+    # Accesses related to another template should be excluded even if the user is related to it
+    for access in [
+        factories.TemplateAccessFactory(),
+        factories.TemplateAccessFactory(user=user),
+    ]:
+        response = APIClient().get(
+            f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+        )
+
+        assert response.status_code == 404
+        assert response.json() == {"detail": "Not found."}
+
+
+def test_api_template_accesses_retrieve_authenticated_related():
+    """
+    A user who is related to a template should be allowed to retrieve the
+    associated template user accesses.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[user])
+    access = factories.TemplateAccessFactory(template=template)
+
+    response = APIClient().get(
+        f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 200
+    assert response.json() == {
+        "id": str(access.id),
+        "user": str(access.user.id),
+        "role": access.role,
+        "abilities": access.get_abilities(user),
+    }
+
+
+def test_api_template_accesses_create_anonymous():
+    """Anonymous users should not be allowed to create template accesses."""
+    user = factories.UserFactory()
+    template = factories.TemplateFactory()
+
+    response = APIClient().post(
+        f"/api/v1.0/templates/{template.id!s}/accesses/",
+        {
+            "user": str(user.id),
+            "template": str(template.id),
+            "role": random.choice(models.RoleChoices.choices)[0],
+        },
+        format="json",
+    )
+
+    assert response.status_code == 401
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }
+    assert models.TemplateAccess.objects.exists() is False
+
+
+def test_api_template_accesses_create_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to create template accesses for a template to
+    which they are not related.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    other_user = factories.UserFactory()
+    template = factories.TemplateFactory()
+
+    response = APIClient().post(
+        f"/api/v1.0/templates/{template.id!s}/accesses/",
+        {
+            "user": str(other_user.id),
+        },
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 403
+    assert not models.TemplateAccess.objects.filter(user=other_user).exists()
+
+
+def test_api_template_accesses_create_authenticated_member():
+    """Members of a template should not be allowed to create template accesses."""
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "member")])
+    other_user = factories.UserFactory()
+
+    api_client = APIClient()
+    for role in [role[0] for role in models.RoleChoices.choices]:
+        response = api_client.post(
+            f"/api/v1.0/templates/{template.id!s}/accesses/",
+            {
+                "user": str(other_user.id),
+                "role": role,
+            },
+            format="json",
+            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+        )
+
+        assert response.status_code == 403
+
+    assert not models.TemplateAccess.objects.filter(user=other_user).exists()
+
+
+def test_api_template_accesses_create_authenticated_administrator():
+    """
+    Administrators of a template should be able to create template accesses
+    except for the "owner" role.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "administrator")])
+    other_user = factories.UserFactory()
+
+    api_client = APIClient()
+
+    # It should not be allowed to create an owner access
+    response = api_client.post(
+        f"/api/v1.0/templates/{template.id!s}/accesses/",
+        {
+            "user": str(other_user.id),
+            "role": "owner",
+        },
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 403
+    assert response.json() == {
+        "detail": "Only owners of a template can assign other users as owners."
+    }
+
+    # It should be allowed to create a lower access
+    role = random.choice(
+        [role[0] for role in models.RoleChoices.choices if role[0] != "owner"]
+    )
+
+    response = api_client.post(
+        f"/api/v1.0/templates/{template.id!s}/accesses/",
+        {
+            "user": str(other_user.id),
+            "role": role,
+        },
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 201
+    assert models.TemplateAccess.objects.filter(user=other_user).count() == 1
+    new_template_access = models.TemplateAccess.objects.filter(user=other_user).get()
+    assert response.json() == {
+        "abilities": new_template_access.get_abilities(user),
+        "id": str(new_template_access.id),
+        "role": role,
+        "user": str(other_user.id),
+    }
+
+
+def test_api_template_accesses_create_authenticated_owner():
+    """
+    Owners of a template should be able to create template accesses whatever the role.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "owner")])
+    other_user = factories.UserFactory()
+
+    role = random.choice([role[0] for role in models.RoleChoices.choices])
+
+    response = APIClient().post(
+        f"/api/v1.0/templates/{template.id!s}/accesses/",
+        {
+            "user": str(other_user.id),
+            "role": role,
+        },
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 201
+    assert models.TemplateAccess.objects.filter(user=other_user).count() == 1
+    new_template_access = models.TemplateAccess.objects.filter(user=other_user).get()
+    assert response.json() == {
+        "abilities": new_template_access.get_abilities(user),
+        "id": str(new_template_access.id),
+        "role": role,
+        "user": str(other_user.id),
+    }
+
+
+def test_api_template_accesses_update_anonymous():
+    """Anonymous users should not be allowed to update a template access."""
+    access = factories.TemplateAccessFactory()
+    old_values = serializers.TemplateAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user": factories.UserFactory().id,
+        "role": random.choice(models.RoleChoices.choices)[0],
+    }
+
+    api_client = APIClient()
+    for field, value in new_values.items():
+        response = api_client.put(
+            f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/",
+            {**old_values, field: value},
+            format="json",
+        )
+        assert response.status_code == 401
+
+    access.refresh_from_db()
+    updated_values = serializers.TemplateAccessSerializer(instance=access).data
+    assert updated_values == old_values
+
+
+def test_api_template_accesses_update_authenticated_unrelated():
+    """
+    Authenticated users should not be allowed to update a template access for a template to which
+    they are not related.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    access = factories.TemplateAccessFactory()
+    old_values = serializers.TemplateAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user": factories.UserFactory().id,
+        "role": random.choice(models.RoleChoices.choices)[0],
+    }
+
+    api_client = APIClient()
+    for field, value in new_values.items():
+        response = api_client.put(
+            f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/",
+            {**old_values, field: value},
+            format="json",
+            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+        )
+        assert response.status_code == 403
+
+    access.refresh_from_db()
+    updated_values = serializers.TemplateAccessSerializer(instance=access).data
+    assert updated_values == old_values
+
+
+def test_api_template_accesses_update_authenticated_member():
+    """Members of a template should not be allowed to update its accesses."""
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "member")])
+    access = factories.TemplateAccessFactory(template=template)
+    old_values = serializers.TemplateAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user": factories.UserFactory().id,
+        "role": random.choice(models.RoleChoices.choices)[0],
+    }
+
+    api_client = APIClient()
+    for field, value in new_values.items():
+        response = api_client.put(
+            f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/",
+            {**old_values, field: value},
+            format="json",
+            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+        )
+        assert response.status_code == 403
+
+    access.refresh_from_db()
+    updated_values = serializers.TemplateAccessSerializer(instance=access).data
+    assert updated_values == old_values
+
+
+def test_api_template_accesses_update_administrator_except_owner():
+    """
+    A user who is an administrator in a template should be allowed to update a user
+    access for this template, as long as they don't try to set the role to owner.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "administrator")])
+    access = factories.TemplateAccessFactory(
+        template=template,
+        role=random.choice(["administrator", "member"]),
+    )
+    old_values = serializers.TemplateAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user_id": factories.UserFactory().id,
+        "role": random.choice(["administrator", "member"]),
+    }
+
+    api_client = APIClient()
+    for field, value in new_values.items():
+        new_data = {**old_values, field: value}
+        response = api_client.put(
+            f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+            data=new_data,
+            format="json",
+            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+        )
+
+        if (
+            new_data["role"] == old_values["role"]
+        ):  # we are not really updating the role
+            assert response.status_code == 403
+        else:
+            assert response.status_code == 200
+
+        access.refresh_from_db()
+        updated_values = serializers.TemplateAccessSerializer(instance=access).data
+        if field == "role":
+            assert updated_values == {**old_values, "role": new_values["role"]}
+        else:
+            assert updated_values == old_values
+
+
+def test_api_template_accesses_update_administrator_from_owner():
+    """
+    A user who is an administrator in a template, should not be allowed to update
+    the user access of an "owner" for this template.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "administrator")])
+    other_user = factories.UserFactory()
+    access = factories.TemplateAccessFactory(
+        template=template, user=other_user, role="owner"
+    )
+    old_values = serializers.TemplateAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user_id": factories.UserFactory().id,
+        "role": random.choice(models.RoleChoices.choices)[0],
+    }
+
+    api_client = APIClient()
+    for field, value in new_values.items():
+        response = api_client.put(
+            f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+            data={**old_values, field: value},
+            format="json",
+            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+        )
+
+        assert response.status_code == 403
+        access.refresh_from_db()
+        updated_values = serializers.TemplateAccessSerializer(instance=access).data
+        assert updated_values == old_values
+
+
+def test_api_template_accesses_update_administrator_to_owner():
+    """
+    A user who is an administrator in a template, should not be allowed to update
+    the user access of another user to grant template ownership.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "administrator")])
+    other_user = factories.UserFactory()
+    access = factories.TemplateAccessFactory(
+        template=template,
+        user=other_user,
+        role=random.choice(["administrator", "member"]),
+    )
+    old_values = serializers.TemplateAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user_id": factories.UserFactory().id,
+        "role": "owner",
+    }
+
+    api_client = APIClient()
+    for field, value in new_values.items():
+        new_data = {**old_values, field: value}
+        response = api_client.put(
+            f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+            data=new_data,
+            format="json",
+            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+        )
+        # We are not allowed or not really updating the role
+        if field == "role" or new_data["role"] == old_values["role"]:
+            assert response.status_code == 403
+        else:
+            assert response.status_code == 200
+
+        access.refresh_from_db()
+        updated_values = serializers.TemplateAccessSerializer(instance=access).data
+        assert updated_values == old_values
+
+
+def test_api_template_accesses_update_owner():
+    """
+    A user who is an owner in a template should be allowed to update
+    a user access for this template whatever the role.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "owner")])
+    factories.UserFactory()
+    access = factories.TemplateAccessFactory(
+        template=template,
+    )
+    old_values = serializers.TemplateAccessSerializer(instance=access).data
+
+    new_values = {
+        "id": uuid4(),
+        "user_id": factories.UserFactory().id,
+        "role": random.choice(models.RoleChoices.choices)[0],
+    }
+
+    api_client = APIClient()
+    for field, value in new_values.items():
+        new_data = {**old_values, field: value}
+        response = api_client.put(
+            f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+            data=new_data,
+            format="json",
+            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+        )
+
+        if (
+            new_data["role"] == old_values["role"]
+        ):  # we are not really updating the role
+            assert response.status_code == 403
+        else:
+            assert response.status_code == 200
+
+        access.refresh_from_db()
+        updated_values = serializers.TemplateAccessSerializer(instance=access).data
+
+        if field == "role":
+            assert updated_values == {**old_values, "role": new_values["role"]}
+        else:
+            assert updated_values == old_values
+
+
+def test_api_template_accesses_update_owner_self():
+    """
+    A user who is owner of a template should be allowed to update
+    their own user access provided there are other owners in the template.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory()
+    access = factories.TemplateAccessFactory(template=template, user=user, role="owner")
+    old_values = serializers.TemplateAccessSerializer(instance=access).data
+    new_role = random.choice(["administrator", "member"])
+
+    api_client = APIClient()
+    response = api_client.put(
+        f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+        data={**old_values, "role": new_role},
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 403
+    access.refresh_from_db()
+    assert access.role == "owner"
+
+    # Add another owner and it should now work
+    factories.TemplateAccessFactory(template=template, role="owner")
+
+    response = api_client.put(
+        f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+        data={**old_values, "role": new_role},
+        format="json",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 200
+    access.refresh_from_db()
+    assert access.role == new_role
+
+
+# Delete
+
+
+def test_api_template_accesses_delete_anonymous():
+    """Anonymous users should not be allowed to destroy a template access."""
+    access = factories.TemplateAccessFactory()
+
+    response = APIClient().delete(
+        f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/",
+    )
+
+    assert response.status_code == 401
+    assert models.TemplateAccess.objects.count() == 1
+
+
+def test_api_template_accesses_delete_authenticated():
+    """
+    Authenticated users should not be allowed to delete a template access for a
+    template to which they are not related.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    access = factories.TemplateAccessFactory()
+
+    response = APIClient().delete(
+        f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 403
+    assert models.TemplateAccess.objects.count() == 1
+
+
+def test_api_template_accesses_delete_member():
+    """
+    Authenticated users should not be allowed to delete a template access for a
+    template in which they are a simple member.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "member")])
+    access = factories.TemplateAccessFactory(template=template)
+
+    assert models.TemplateAccess.objects.count() == 2
+    assert models.TemplateAccess.objects.filter(user=access.user).exists()
+
+    response = APIClient().delete(
+        f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 403
+    assert models.TemplateAccess.objects.count() == 2
+
+
+def test_api_template_accesses_delete_administrators_except_owners():
+    """
+    Users who are administrators in a template should be allowed to delete an access
+    from the template provided it is not ownership.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "administrator")])
+    access = factories.TemplateAccessFactory(
+        template=template, role=random.choice(["member", "administrator"])
+    )
+
+    assert models.TemplateAccess.objects.count() == 2
+    assert models.TemplateAccess.objects.filter(user=access.user).exists()
+
+    response = APIClient().delete(
+        f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 204
+    assert models.TemplateAccess.objects.count() == 1
+
+
+def test_api_template_accesses_delete_administrators_owners():
+    """
+    Users who are administrators in a template should not be allowed to delete an ownership
+    access from the template.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "administrator")])
+    access = factories.TemplateAccessFactory(template=template, role="owner")
+
+    assert models.TemplateAccess.objects.count() == 2
+    assert models.TemplateAccess.objects.filter(user=access.user).exists()
+
+    response = APIClient().delete(
+        f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 403
+    assert models.TemplateAccess.objects.count() == 2
+
+
+def test_api_template_accesses_delete_owners():
+    """
+    Users should be able to delete the template access of another user
+    for a template of which they are owner.
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory(users=[(user, "owner")])
+    access = factories.TemplateAccessFactory(
+        template=template,
+    )
+
+    assert models.TemplateAccess.objects.count() == 2
+    assert models.TemplateAccess.objects.filter(user=access.user).exists()
+
+    response = APIClient().delete(
+        f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 204
+    assert models.TemplateAccess.objects.count() == 1
+
+
+def test_api_template_accesses_delete_owners_last_owner():
+    """
+    It should not be possible to delete the last owner access from a template
+    """
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
+
+    template = factories.TemplateFactory()
+    access = factories.TemplateAccessFactory(template=template, user=user, role="owner")
+
+    assert models.TemplateAccess.objects.count() == 1
+    response = APIClient().delete(
+        f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
+        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
+    )
+
+    assert response.status_code == 403
+    assert models.TemplateAccess.objects.count() == 1

src/backend/core/tests/test_api_users.py

@@ -25,8 +25,8 @@ def test_api_users_list_authenticated():
     """
     Authenticated users should not be able to list users.
     """
-    identity = factories.IdentityFactory()
-    jwt_token = OIDCToken.for_user(identity.user)
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
 
     factories.UserFactory.create_batch(2)
     response = APIClient().get(
@@ -49,15 +49,9 @@ def test_api_users_retrieve_me_anonymous():
 
 def test_api_users_retrieve_me_authenticated():
     """Authenticated users should be able to retrieve their own user via the "/users/me" path."""
-    identity = factories.IdentityFactory()
-    user = identity.user
+    user = factories.UserFactory()
     jwt_token = OIDCToken.for_user(user)
 
-    # Define profile contact
-    contact = factories.ContactFactory(owner=user)
-    user.profile_contact = contact
-    user.save()
-
     factories.UserFactory.create_batch(2)
     response = APIClient().get(
         "/api/v1.0/users/me/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
@@ -70,7 +64,6 @@ def test_api_users_retrieve_me_authenticated():
         "timezone": str(user.timezone),
         "is_device": False,
         "is_staff": False,
-        "data": user.profile_contact.data,
     }
 
 
@@ -91,8 +84,7 @@ def test_api_users_retrieve_authenticated_self():
     Authenticated users should be allowed to retrieve their own user.
     The returned object should not contain the password.
     """
-    identity = factories.IdentityFactory()
-    user = identity.user
+    user = factories.UserFactory()
     jwt_token = OIDCToken.for_user(user)
 
     response = APIClient().get(
@@ -107,8 +99,8 @@ def test_api_users_retrieve_authenticated_other():
     Authenticated users should be able to retrieve another user's detail view with
     limited information.
     """
-    identity = factories.IdentityFactory()
-    jwt_token = OIDCToken.for_user(identity.user)
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
 
     other_user = factories.UserFactory()
 
@@ -135,8 +127,7 @@ def test_api_users_create_anonymous():
 
 def test_api_users_create_authenticated():
     """Authenticated users should not be able to create users via the API."""
-    identity = factories.IdentityFactory()
-    user = identity.user
+    user = factories.UserFactory()
     jwt_token = OIDCToken.for_user(user)
 
     response = APIClient().post(
@@ -182,8 +173,7 @@ def test_api_users_update_authenticated_self():
     Authenticated users should be able to update their own user but only "language"
     and "timezone" fields.
     """
-    identity = factories.IdentityFactory()
-    user = identity.user
+    user = factories.UserFactory()
     jwt_token = OIDCToken.for_user(user)
 
     old_user_values = dict(serializers.UserSerializer(instance=user).data)
@@ -210,8 +200,8 @@ def test_api_users_update_authenticated_self():
 
 def test_api_users_update_authenticated_other():
     """Authenticated users should not be allowed to update other users."""
-    identity = factories.IdentityFactory()
-    jwt_token = OIDCToken.for_user(identity.user)
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
 
     user = factories.UserFactory()
     old_user_values = dict(serializers.UserSerializer(instance=user).data)
@@ -262,8 +252,7 @@ def test_api_users_patch_authenticated_self():
     Authenticated users should be able to patch their own user but only "language"
     and "timezone" fields.
     """
-    identity = factories.IdentityFactory()
-    user = identity.user
+    user = factories.UserFactory()
     jwt_token = OIDCToken.for_user(user)
 
     old_user_values = dict(serializers.UserSerializer(instance=user).data)
@@ -291,8 +280,8 @@ def test_api_users_patch_authenticated_self():
 
 def test_api_users_patch_authenticated_other():
     """Authenticated users should not be allowed to patch other users."""
-    identity = factories.IdentityFactory()
-    jwt_token = OIDCToken.for_user(identity.user)
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
 
     user = factories.UserFactory()
     old_user_values = dict(serializers.UserSerializer(instance=user).data)
@@ -329,8 +318,8 @@ def test_api_users_delete_list_anonymous():
 def test_api_users_delete_list_authenticated():
     """Authenticated users should not be allowed to delete a list of users."""
     factories.UserFactory.create_batch(2)
-    identity = factories.IdentityFactory()
-    jwt_token = OIDCToken.for_user(identity.user)
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
 
     client = APIClient()
     response = client.delete(
@@ -355,8 +344,8 @@ def test_api_users_delete_authenticated():
     """
     Authenticated users should not be allowed to delete a user other than themselves.
     """
-    identity = factories.IdentityFactory()
-    jwt_token = OIDCToken.for_user(identity.user)
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
     other_user = factories.UserFactory()
 
     response = APIClient().delete(
@@ -369,11 +358,11 @@ def test_api_users_delete_authenticated():
 
 def test_api_users_delete_self():
     """Authenticated users should not be able to delete their own user."""
-    identity = factories.IdentityFactory()
-    jwt_token = OIDCToken.for_user(identity.user)
+    user = factories.UserFactory()
+    jwt_token = OIDCToken.for_user(user)
 
     response = APIClient().delete(
-        f"/api/v1.0/users/{identity.user.id!s}/",
+        f"/api/v1.0/users/{user.id!s}/",
         HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 

src/backend/core/tests/test_models_identities.py

@@ -1,183 +0,0 @@
-"""
-Unit tests for the Identity model
-"""
-from django.core.exceptions import ValidationError
-
-import pytest
-
-from core import factories, models
-
-pytestmark = pytest.mark.django_db
-
-
-def test_models_identities_str_main():
-    """The str representation should be the email address with indication that it is main."""
-    identity = factories.IdentityFactory(email="david@example.com")
-    assert str(identity) == "david@example.com[main]"
-
-
-def test_models_identities_str_secondary():
-    """The str representation of a secondary email should be the email address."""
-    main_identity = factories.IdentityFactory()
-    secondary_identity = factories.IdentityFactory(
-        user=main_identity.user, email="david@example.com"
-    )
-    assert str(secondary_identity) == "david@example.com"
-
-
-def test_models_identities_is_main_automatic():
-    """The first identity created for a user should automatically be set as main."""
-    user = factories.UserFactory()
-    identity = models.Identity.objects.create(
-        user=user, sub="123", email="david@example.com"
-    )
-    assert identity.is_main is True
-
-
-def test_models_identities_is_main_exists():
-    """A user should always keep one and only one of its identities as main."""
-    user = factories.UserFactory()
-    main_identity, _secondary_identity = factories.IdentityFactory.create_batch(
-        2, user=user
-    )
-
-    assert main_identity.is_main is True
-
-    main_identity.is_main = False
-    with pytest.raises(
-        ValidationError, match="A user should have one and only one main identity."
-    ):
-        main_identity.save()
-
-
-def test_models_identities_is_main_switch():
-    """Setting a secondary identity as main should reset the existing main identity."""
-    user = factories.UserFactory()
-    first_identity, second_identity = factories.IdentityFactory.create_batch(
-        2, user=user
-    )
-
-    assert first_identity.is_main is True
-
-    second_identity.is_main = True
-    second_identity.save()
-
-    second_identity.refresh_from_db()
-    assert second_identity.is_main is True
-
-    first_identity.refresh_from_db()
-    assert first_identity.is_main is False
-
-
-def test_models_identities_email_required():
-    """The "email" field is required."""
-    user = factories.UserFactory()
-    with pytest.raises(ValidationError, match="This field cannot be null."):
-        models.Identity.objects.create(user=user, email=None)
-
-
-def test_models_identities_user_required():
-    """The "user" field is required."""
-    with pytest.raises(models.User.DoesNotExist, match="Identity has no user."):
-        models.Identity.objects.create(user=None, email="david@example.com")
-
-
-def test_models_identities_email_unique_same_user():
-    """The "email" field should be unique for a given user."""
-    email = factories.IdentityFactory()
-
-    with pytest.raises(
-        ValidationError,
-        match="Identity with this User and Email address already exists.",
-    ):
-        factories.IdentityFactory(user=email.user, email=email.email)
-
-
-def test_models_identities_email_unique_different_users():
-    """The "email" field should not be unique among users."""
-    email = factories.IdentityFactory()
-    factories.IdentityFactory(email=email.email)
-
-
-def test_models_identities_email_normalization():
-    """The email field should be automatically normalized upon saving."""
-    email = factories.IdentityFactory()
-    email.email = "Thomas.Jefferson@Example.com"
-    email.save()
-    assert email.email == "Thomas.Jefferson@example.com"
-
-
-def test_models_identities_ordering():
-    """Identitys should be returned ordered by main status then by their email address."""
-    user = factories.UserFactory()
-    factories.IdentityFactory.create_batch(5, user=user)
-
-    emails = models.Identity.objects.all()
-
-    assert emails[0].is_main is True
-    for i in range(3):
-        assert emails[i + 1].is_main is False
-        assert emails[i + 2].email >= emails[i + 1].email
-
-
-def test_models_identities_sub_null():
-    """The "sub" field should not be null."""
-    user = factories.UserFactory()
-    with pytest.raises(ValidationError, match="This field cannot be null."):
-        models.Identity.objects.create(user=user, sub=None)
-
-
-def test_models_identities_sub_blank():
-    """The "sub" field should not be blank."""
-    user = factories.UserFactory()
-    with pytest.raises(ValidationError, match="This field cannot be blank."):
-        models.Identity.objects.create(user=user, email="david@example.com", sub="")
-
-
-def test_models_identities_sub_unique():
-    """The "sub" field should be unique."""
-    user = factories.UserFactory()
-    identity = factories.IdentityFactory()
-    with pytest.raises(ValidationError, match="Identity with this Sub already exists."):
-        models.Identity.objects.create(user=user, sub=identity.sub)
-
-
-def test_models_identities_sub_max_length():
-    """The sub field should be 255 characters maximum."""
-    factories.IdentityFactory(sub="a" * 255)
-    with pytest.raises(ValidationError) as excinfo:
-        factories.IdentityFactory(sub="a" * 256)
-
-    assert (
-        str(excinfo.value)
-        == "{'sub': ['Ensure this value has at most 255 characters (it has 256).']}"
-    )
-
-
-def test_models_identities_sub_special_characters():
-    """The sub field should accept periods, dashes, +, @ and underscores."""
-    identity = factories.IdentityFactory(sub="dave.bowman-1+2@hal_9000")
-    assert identity.sub == "dave.bowman-1+2@hal_9000"
-
-
-def test_models_identities_sub_spaces():
-    """The sub field should not accept spaces."""
-    with pytest.raises(ValidationError) as excinfo:
-        factories.IdentityFactory(sub="a b")
-
-    assert str(excinfo.value) == (
-        "{'sub': ['Enter a valid sub. This value may contain only letters, numbers, "
-        "and @/./+/-/_ characters.']}"
-    )
-
-
-def test_models_identities_sub_upper_case():
-    """The sub field should accept upper case characters."""
-    identity = factories.IdentityFactory(sub="John")
-    assert identity.sub == "John"
-
-
-def test_models_identities_sub_ascii():
-    """The sub field should accept non ASCII letters."""
-    identity = factories.IdentityFactory(sub="rené")
-    assert identity.sub == "rené"

src/backend/core/tests/test_models_team_accesses.py

@@ -1,264 +0,0 @@
-"""
-Unit tests for the TeamAccess model
-"""
-from django.contrib.auth.models import AnonymousUser
-from django.core.exceptions import ValidationError
-
-import pytest
-
-from core import factories
-
-pytestmark = pytest.mark.django_db
-
-
-def test_models_team_accesses_str():
-    """
-    The str representation should include user name, team full name and role.
-    """
-    contact = factories.ContactFactory(full_name="David Bowman")
-    user = contact.owner
-    user.profile_contact = contact
-    user.save()
-    access = factories.TeamAccessFactory(
-        role="member",
-        user=user,
-        team__name="admins",
-    )
-    assert str(access) == "David Bowman is member in team admins"
-
-
-def test_models_team_accesses_unique():
-    """Team accesses should be unique for a given couple of user and team."""
-    access = factories.TeamAccessFactory()
-
-    with pytest.raises(
-        ValidationError,
-        match="Team/user relation with this User and Team already exists.",
-    ):
-        factories.TeamAccessFactory(user=access.user, team=access.team)
-
-
-# get_abilities
-
-
-def test_models_team_access_get_abilities_anonymous():
-    """Check abilities returned for an anonymous user."""
-    access = factories.TeamAccessFactory()
-    abilities = access.get_abilities(AnonymousUser())
-    assert abilities == {
-        "delete": False,
-        "get": False,
-        "patch": False,
-        "put": False,
-        "set_role_to": [],
-    }
-
-
-def test_models_team_access_get_abilities_authenticated():
-    """Check abilities returned for an authenticated user."""
-    access = factories.TeamAccessFactory()
-    user = factories.UserFactory()
-    abilities = access.get_abilities(user)
-    assert abilities == {
-        "delete": False,
-        "get": False,
-        "patch": False,
-        "put": False,
-        "set_role_to": [],
-    }
-
-
-# - for owner
-
-
-def test_models_team_access_get_abilities_for_owner_of_self_allowed():
-    """
-    Check abilities of self access for the owner of a team when there is more than one user left.
-    """
-    access = factories.TeamAccessFactory(role="owner")
-    factories.TeamAccessFactory(team=access.team, role="owner")
-    abilities = access.get_abilities(access.user)
-    assert abilities == {
-        "delete": True,
-        "get": True,
-        "patch": True,
-        "put": True,
-        "set_role_to": ["administrator", "member"],
-    }
-
-
-def test_models_team_access_get_abilities_for_owner_of_self_last():
-    """Check abilities of self access for the owner of a team when there is only one owner left."""
-    access = factories.TeamAccessFactory(role="owner")
-    abilities = access.get_abilities(access.user)
-    assert abilities == {
-        "delete": False,
-        "get": True,
-        "patch": False,
-        "put": False,
-        "set_role_to": [],
-    }
-
-
-def test_models_team_access_get_abilities_for_owner_of_owner():
-    """Check abilities of owner access for the owner of a team."""
-    access = factories.TeamAccessFactory(role="owner")
-    factories.TeamAccessFactory(team=access.team)  # another one
-    user = factories.TeamAccessFactory(team=access.team, role="owner").user
-    abilities = access.get_abilities(user)
-    assert abilities == {
-        "delete": False,
-        "get": True,
-        "patch": False,
-        "put": False,
-        "set_role_to": [],
-    }
-
-
-def test_models_team_access_get_abilities_for_owner_of_administrator():
-    """Check abilities of administrator access for the owner of a team."""
-    access = factories.TeamAccessFactory(role="administrator")
-    factories.TeamAccessFactory(team=access.team)  # another one
-    user = factories.TeamAccessFactory(team=access.team, role="owner").user
-    abilities = access.get_abilities(user)
-    assert abilities == {
-        "delete": True,
-        "get": True,
-        "patch": True,
-        "put": True,
-        "set_role_to": ["owner", "member"],
-    }
-
-
-def test_models_team_access_get_abilities_for_owner_of_member():
-    """Check abilities of member access for the owner of a team."""
-    access = factories.TeamAccessFactory(role="member")
-    factories.TeamAccessFactory(team=access.team)  # another one
-    user = factories.TeamAccessFactory(team=access.team, role="owner").user
-    abilities = access.get_abilities(user)
-    assert abilities == {
-        "delete": True,
-        "get": True,
-        "patch": True,
-        "put": True,
-        "set_role_to": ["owner", "administrator"],
-    }
-
-
-# - for administrator
-
-
-def test_models_team_access_get_abilities_for_administrator_of_owner():
-    """Check abilities of owner access for the administrator of a team."""
-    access = factories.TeamAccessFactory(role="owner")
-    factories.TeamAccessFactory(team=access.team)  # another one
-    user = factories.TeamAccessFactory(team=access.team, role="administrator").user
-    abilities = access.get_abilities(user)
-    assert abilities == {
-        "delete": False,
-        "get": True,
-        "patch": False,
-        "put": False,
-        "set_role_to": [],
-    }
-
-
-def test_models_team_access_get_abilities_for_administrator_of_administrator():
-    """Check abilities of administrator access for the administrator of a team."""
-    access = factories.TeamAccessFactory(role="administrator")
-    factories.TeamAccessFactory(team=access.team)  # another one
-    user = factories.TeamAccessFactory(team=access.team, role="administrator").user
-    abilities = access.get_abilities(user)
-    assert abilities == {
-        "delete": True,
-        "get": True,
-        "patch": True,
-        "put": True,
-        "set_role_to": ["member"],
-    }
-
-
-def test_models_team_access_get_abilities_for_administrator_of_member():
-    """Check abilities of member access for the administrator of a team."""
-    access = factories.TeamAccessFactory(role="member")
-    factories.TeamAccessFactory(team=access.team)  # another one
-    user = factories.TeamAccessFactory(team=access.team, role="administrator").user
-    abilities = access.get_abilities(user)
-    assert abilities == {
-        "delete": True,
-        "get": True,
-        "patch": True,
-        "put": True,
-        "set_role_to": ["administrator"],
-    }
-
-
-# - for member
-
-
-def test_models_team_access_get_abilities_for_member_of_owner():
-    """Check abilities of owner access for the member of a team."""
-    access = factories.TeamAccessFactory(role="owner")
-    factories.TeamAccessFactory(team=access.team)  # another one
-    user = factories.TeamAccessFactory(team=access.team, role="member").user
-    abilities = access.get_abilities(user)
-    assert abilities == {
-        "delete": False,
-        "get": True,
-        "patch": False,
-        "put": False,
-        "set_role_to": [],
-    }
-
-
-def test_models_team_access_get_abilities_for_member_of_administrator():
-    """Check abilities of administrator access for the member of a team."""
-    access = factories.TeamAccessFactory(role="administrator")
-    factories.TeamAccessFactory(team=access.team)  # another one
-    user = factories.TeamAccessFactory(team=access.team, role="member").user
-    abilities = access.get_abilities(user)
-    assert abilities == {
-        "delete": False,
-        "get": True,
-        "patch": False,
-        "put": False,
-        "set_role_to": [],
-    }
-
-
-def test_models_team_access_get_abilities_for_member_of_member_user(
-    django_assert_num_queries
-):
-    """Check abilities of member access for the member of a team."""
-    access = factories.TeamAccessFactory(role="member")
-    factories.TeamAccessFactory(team=access.team)  # another one
-    user = factories.TeamAccessFactory(team=access.team, role="member").user
-
-    with django_assert_num_queries(1):
-        abilities = access.get_abilities(user)
-
-    assert abilities == {
-        "delete": False,
-        "get": True,
-        "patch": False,
-        "put": False,
-        "set_role_to": [],
-    }
-
-
-def test_models_team_access_get_abilities_preset_role(django_assert_num_queries):
-    """No query is done if the role is preset, e.g., with a query annotation."""
-    access = factories.TeamAccessFactory(role="member")
-    user = factories.TeamAccessFactory(team=access.team, role="member").user
-    access.user_role = "member"
-
-    with django_assert_num_queries(0):
-        abilities = access.get_abilities(user)
-
-    assert abilities == {
-        "delete": False,
-        "get": True,
-        "patch": False,
-        "put": False,
-        "set_role_to": [],
-    }

src/backend/core/tests/test_models_teams.py

@@ -1,135 +0,0 @@
-"""
-Unit tests for the Team model
-"""
-from django.contrib.auth.models import AnonymousUser
-from django.core.exceptions import ValidationError
-
-import pytest
-
-from core import factories, models
-
-pytestmark = pytest.mark.django_db
-
-
-def test_models_teams_str():
-    """The str representation should be the name of the team."""
-    team = factories.TeamFactory(name="admins")
-    assert str(team) == "admins"
-
-
-def test_models_teams_id_unique():
-    """The "id" field should be unique."""
-    team = factories.TeamFactory()
-    with pytest.raises(ValidationError, match="Team with this Id already exists."):
-        factories.TeamFactory(id=team.id)
-
-
-def test_models_teams_name_null():
-    """The "name" field should not be null."""
-    with pytest.raises(ValidationError, match="This field cannot be null."):
-        models.Team.objects.create(name=None)
-
-
-def test_models_teams_name_empty():
-    """The "name" field should not be empty."""
-    with pytest.raises(ValidationError, match="This field cannot be blank."):
-        models.Team.objects.create(name="")
-
-
-def test_models_teams_name_max_length():
-    """The "name" field should be 100 characters maximum."""
-    factories.TeamFactory(name="a " * 50)
-    with pytest.raises(
-        ValidationError,
-        match=r"Ensure this value has at most 100 characters \(it has 102\)\.",
-    ):
-        factories.TeamFactory(name="a " * 51)
-
-
-# get_abilities
-
-
-def test_models_teams_get_abilities_anonymous():
-    """Check abilities returned for an anonymous user."""
-    team = factories.TeamFactory()
-    abilities = team.get_abilities(AnonymousUser())
-    assert abilities == {
-        "delete": False,
-        "get": True,
-        "patch": False,
-        "put": False,
-        "manage_accesses": False,
-    }
-
-
-def test_models_teams_get_abilities_authenticated():
-    """Check abilities returned for an authenticated user."""
-    team = factories.TeamFactory()
-    abilities = team.get_abilities(factories.UserFactory())
-    assert abilities == {
-        "delete": False,
-        "get": True,
-        "patch": False,
-        "put": False,
-        "manage_accesses": False,
-    }
-
-
-def test_models_teams_get_abilities_owner():
-    """Check abilities returned for the owner of a team."""
-    user = factories.UserFactory()
-    access = factories.TeamAccessFactory(role="owner", user=user)
-    abilities = access.team.get_abilities(access.user)
-    assert abilities == {
-        "delete": True,
-        "get": True,
-        "patch": True,
-        "put": True,
-        "manage_accesses": True,
-    }
-
-
-def test_models_teams_get_abilities_administrator():
-    """Check abilities returned for the administrator of a team."""
-    access = factories.TeamAccessFactory(role="administrator")
-    abilities = access.team.get_abilities(access.user)
-    assert abilities == {
-        "delete": False,
-        "get": True,
-        "patch": True,
-        "put": True,
-        "manage_accesses": True,
-    }
-
-
-def test_models_teams_get_abilities_member_user(django_assert_num_queries):
-    """Check abilities returned for the member of a team."""
-    access = factories.TeamAccessFactory(role="member")
-
-    with django_assert_num_queries(1):
-        abilities = access.team.get_abilities(access.user)
-
-    assert abilities == {
-        "delete": False,
-        "get": True,
-        "patch": False,
-        "put": False,
-        "manage_accesses": False,
-    }
-
-
-def test_models_teams_get_abilities_preset_role(django_assert_num_queries):
-    """No query is done if the role is preset e.g. with query annotation."""
-    access = factories.TeamAccessFactory(role="member")
-    access.team.user_role = "member"
-
-    with django_assert_num_queries(0):
-        abilities = access.team.get_abilities(access.user)
-
-    assert abilities == {
-        "delete": False,
-        "get": True,
-        "patch": False,
-        "put": False,
-        "manage_accesses": False,
-    }

src/backend/core/tests/test_models_template_accesses.py

@@ -0,0 +1,256 @@
+"""
+Unit tests for the TemplateAccess model
+"""
+from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import ValidationError
+
+import pytest
+
+from core import factories
+
+pytestmark = pytest.mark.django_db
+
+
+def test_models_template_accesses_str():
+    """
+    The str representation should include user email, template title and role.
+    """
+    user = factories.UserFactory(email="david.bowman@example.com")
+    access = factories.TemplateAccessFactory(
+        role="member",
+        user=user,
+        template__title="admins",
+    )
+    assert str(access) == "david.bowman@example.com is member in template admins"
+
+
+def test_models_template_accesses_unique():
+    """Template accesses should be unique for a given couple of user and template."""
+    access = factories.TemplateAccessFactory()
+
+    with pytest.raises(
+        ValidationError,
+        match="Template/user relation with this User and Template already exists.",
+    ):
+        factories.TemplateAccessFactory(user=access.user, template=access.template)
+
+
+# get_abilities
+
+
+def test_models_template_access_get_abilities_anonymous():
+    """Check abilities returned for an anonymous user."""
+    access = factories.TemplateAccessFactory()
+    abilities = access.get_abilities(AnonymousUser())
+    assert abilities == {
+        "destroy": False,
+        "retrieve": False,
+        "update": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_template_access_get_abilities_authenticated():
+    """Check abilities returned for an authenticated user."""
+    access = factories.TemplateAccessFactory()
+    user = factories.UserFactory()
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": False,
+        "retrieve": False,
+        "update": False,
+        "set_role_to": [],
+    }
+
+
+# - for owner
+
+
+def test_models_template_access_get_abilities_for_owner_of_self_allowed():
+    """
+    Check abilities of self access for the owner of a template when
+    there is more than one owner left.
+    """
+    access = factories.TemplateAccessFactory(role="owner")
+    factories.TemplateAccessFactory(template=access.template, role="owner")
+    abilities = access.get_abilities(access.user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "set_role_to": ["administrator", "member"],
+    }
+
+
+def test_models_template_access_get_abilities_for_owner_of_self_last():
+    """
+    Check abilities of self access for the owner of a template when there is only one owner left.
+    """
+    access = factories.TemplateAccessFactory(role="owner")
+    abilities = access.get_abilities(access.user)
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_template_access_get_abilities_for_owner_of_owner():
+    """Check abilities of owner access for the owner of a template."""
+    access = factories.TemplateAccessFactory(role="owner")
+    factories.TemplateAccessFactory(template=access.template)  # another one
+    user = factories.TemplateAccessFactory(template=access.template, role="owner").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "set_role_to": ["administrator", "member"],
+    }
+
+
+def test_models_template_access_get_abilities_for_owner_of_administrator():
+    """Check abilities of administrator access for the owner of a template."""
+    access = factories.TemplateAccessFactory(role="administrator")
+    factories.TemplateAccessFactory(template=access.template)  # another one
+    user = factories.TemplateAccessFactory(template=access.template, role="owner").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "set_role_to": ["owner", "member"],
+    }
+
+
+def test_models_template_access_get_abilities_for_owner_of_member():
+    """Check abilities of member access for the owner of a template."""
+    access = factories.TemplateAccessFactory(role="member")
+    factories.TemplateAccessFactory(template=access.template)  # another one
+    user = factories.TemplateAccessFactory(template=access.template, role="owner").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "set_role_to": ["owner", "administrator"],
+    }
+
+
+# - for administrator
+
+
+def test_models_template_access_get_abilities_for_administrator_of_owner():
+    """Check abilities of owner access for the administrator of a template."""
+    access = factories.TemplateAccessFactory(role="owner")
+    factories.TemplateAccessFactory(template=access.template)  # another one
+    user = factories.TemplateAccessFactory(
+        template=access.template, role="administrator"
+    ).user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_template_access_get_abilities_for_administrator_of_administrator():
+    """Check abilities of administrator access for the administrator of a template."""
+    access = factories.TemplateAccessFactory(role="administrator")
+    factories.TemplateAccessFactory(template=access.template)  # another one
+    user = factories.TemplateAccessFactory(
+        template=access.template, role="administrator"
+    ).user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "set_role_to": ["member"],
+    }
+
+
+def test_models_template_access_get_abilities_for_administrator_of_member():
+    """Check abilities of member access for the administrator of a template."""
+    access = factories.TemplateAccessFactory(role="member")
+    factories.TemplateAccessFactory(template=access.template)  # another one
+    user = factories.TemplateAccessFactory(
+        template=access.template, role="administrator"
+    ).user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "set_role_to": ["administrator"],
+    }
+
+
+# - for member
+
+
+def test_models_template_access_get_abilities_for_member_of_owner():
+    """Check abilities of owner access for the member of a template."""
+    access = factories.TemplateAccessFactory(role="owner")
+    factories.TemplateAccessFactory(template=access.template)  # another one
+    user = factories.TemplateAccessFactory(template=access.template, role="member").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_template_access_get_abilities_for_member_of_administrator():
+    """Check abilities of administrator access for the member of a template."""
+    access = factories.TemplateAccessFactory(role="administrator")
+    factories.TemplateAccessFactory(template=access.template)  # another one
+    user = factories.TemplateAccessFactory(template=access.template, role="member").user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_template_access_get_abilities_for_member_of_member_user(
+    django_assert_num_queries
+):
+    """Check abilities of member access for the member of a template."""
+    access = factories.TemplateAccessFactory(role="member")
+    factories.TemplateAccessFactory(template=access.template)  # another one
+    user = factories.TemplateAccessFactory(template=access.template, role="member").user
+
+    with django_assert_num_queries(1):
+        abilities = access.get_abilities(user)
+
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_template_access_get_abilities_preset_role(django_assert_num_queries):
+    """No query is done if the role is preset, e.g., with a query annotation."""
+    access = factories.TemplateAccessFactory(role="member")
+    user = factories.TemplateAccessFactory(template=access.template, role="member").user
+    access.user_role = "member"
+
+    with django_assert_num_queries(0):
+        abilities = access.get_abilities(user)
+
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "set_role_to": [],
+    }

src/backend/core/tests/test_models_templates.py

@@ -0,0 +1,161 @@
+"""
+Unit tests for the Template model
+"""
+from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import ValidationError
+
+import pytest
+
+from core import factories, models
+
+pytestmark = pytest.mark.django_db
+
+
+def test_models_templates_str():
+    """The str representation should be the title of the template."""
+    template = factories.TemplateFactory(title="admins")
+    assert str(template) == "admins"
+
+
+def test_models_templates_id_unique():
+    """The "id" field should be unique."""
+    template = factories.TemplateFactory()
+    with pytest.raises(ValidationError, match="Template with this Id already exists."):
+        factories.TemplateFactory(id=template.id)
+
+
+def test_models_templates_title_null():
+    """The "title" field should not be null."""
+    with pytest.raises(ValidationError, match="This field cannot be null."):
+        models.Template.objects.create(title=None)
+
+
+def test_models_templates_title_empty():
+    """The "title" field should not be empty."""
+    with pytest.raises(ValidationError, match="This field cannot be blank."):
+        models.Template.objects.create(title="")
+
+
+def test_models_templates_title_max_length():
+    """The "title" field should be 100 characters maximum."""
+    factories.TemplateFactory(title="a" * 255)
+    with pytest.raises(
+        ValidationError,
+        match=r"Ensure this value has at most 255 characters \(it has 256\)\.",
+    ):
+        factories.TemplateFactory(title="a" * 256)
+
+
+# get_abilities
+
+
+def test_models_templates_get_abilities_anonymous_public():
+    """Check abilities returned for an anonymous user if the template is public."""
+    template = factories.TemplateFactory(is_public=True)
+    abilities = template.get_abilities(AnonymousUser())
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "manage_accesses": False,
+        "generate_document": True,
+    }
+
+
+def test_models_templates_get_abilities_anonymous_not_public():
+    """Check abilities returned for an anonymous user if the template is private."""
+    template = factories.TemplateFactory(is_public=False)
+    abilities = template.get_abilities(AnonymousUser())
+    assert abilities == {
+        "destroy": False,
+        "retrieve": False,
+        "update": False,
+        "manage_accesses": False,
+        "generate_document": False,
+    }
+
+
+def test_models_templates_get_abilities_authenticated_public():
+    """Check abilities returned for an authenticated user if the user is public."""
+    template = factories.TemplateFactory(is_public=True)
+    abilities = template.get_abilities(factories.UserFactory())
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "manage_accesses": False,
+        "generate_document": True,
+    }
+
+
+def test_models_templates_get_abilities_authenticated_not_public():
+    """Check abilities returned for an authenticated user if the template is private."""
+    template = factories.TemplateFactory(is_public=False)
+    abilities = template.get_abilities(factories.UserFactory())
+    assert abilities == {
+        "destroy": False,
+        "retrieve": False,
+        "update": False,
+        "manage_accesses": False,
+        "generate_document": False,
+    }
+
+
+def test_models_templates_get_abilities_owner():
+    """Check abilities returned for the owner of a template."""
+    user = factories.UserFactory()
+    access = factories.TemplateAccessFactory(role="owner", user=user)
+    abilities = access.template.get_abilities(access.user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "manage_accesses": True,
+        "generate_document": True,
+    }
+
+
+def test_models_templates_get_abilities_administrator():
+    """Check abilities returned for the administrator of a template."""
+    access = factories.TemplateAccessFactory(role="administrator")
+    abilities = access.template.get_abilities(access.user)
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": True,
+        "manage_accesses": True,
+        "generate_document": True,
+    }
+
+
+def test_models_templates_get_abilities_member_user(django_assert_num_queries):
+    """Check abilities returned for the member of a template."""
+    access = factories.TemplateAccessFactory(role="member")
+
+    with django_assert_num_queries(1):
+        abilities = access.template.get_abilities(access.user)
+
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "manage_accesses": False,
+        "generate_document": True,
+    }
+
+
+def test_models_templates_get_abilities_preset_role(django_assert_num_queries):
+    """No query is done if the role is preset e.g. with query annotation."""
+    access = factories.TemplateAccessFactory(role="member")
+    access.template.user_role = "member"
+
+    with django_assert_num_queries(0):
+        abilities = access.template.get_abilities(access.user)
+
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "manage_accesses": False,
+        "generate_document": True,
+    }

src/backend/core/tests/test_models_users.py

@@ -7,19 +7,15 @@ from django.core.exceptions import ValidationError
 
 import pytest
 
-from core import factories, models
+from core import factories
 
 pytestmark = pytest.mark.django_db
 
 
 def test_models_users_str():
-    """The str representation should be the full name."""
+    """The str representation should be the email."""
     user = factories.UserFactory()
-    contact = factories.ContactFactory(full_name="david bowman", owner=user)
-    user.profile_contact = contact
-    user.save()
-
-    assert str(user) == "david bowman"
+    assert str(user) == user.email
 
 
 def test_models_users_id_unique():
@@ -29,55 +25,21 @@ def test_models_users_id_unique():
         factories.UserFactory(id=user.id)
 
 
-def test_models_users_profile_not_owned():
-    """A user cannot declare as profile a contact that not is owned."""
-    user = factories.UserFactory()
-    contact = factories.ContactFactory(base=None, owner=None)
-
-    user.profile_contact = contact
-    with pytest.raises(ValidationError) as excinfo:
-        user.save()
-
-    assert (
-        str(excinfo.value)
-        == "{'__all__': ['Users can only declare as profile a contact they own.']}"
-    )
-
-
-def test_models_users_profile_owned_by_other():
-    """A user cannot declare as profile a contact that is owned by another user."""
-    user = factories.UserFactory()
-    contact = factories.ContactFactory()
-
-    user.profile_contact = contact
-    with pytest.raises(ValidationError) as excinfo:
-        user.save()
-
-    assert (
-        str(excinfo.value)
-        == "{'__all__': ['Users can only declare as profile a contact they own.']}"
-    )
-
-
 def test_models_users_send_mail_main_existing():
-    """The "email_user' method should send mail to the user's main email address."""
-    main_email = factories.IdentityFactory(email="dave@example.com")
-    user = main_email.user
-    factories.IdentityFactory.create_batch(2, user=user)
+    """The "email_user' method should send mail to the user's email address."""
+    user = factories.UserFactory()
 
     with mock.patch("django.core.mail.send_mail") as mock_send:
         user.email_user("my subject", "my message")
 
-    mock_send.assert_called_once_with(
-        "my subject", "my message", None, ["dave@example.com"]
-    )
+    mock_send.assert_called_once_with("my subject", "my message", None, [user.email])
 
 
 def test_models_users_send_mail_main_missing():
     """The "email_user' method should fail if the user has no email address."""
-    user = factories.UserFactory()
+    user = factories.UserFactory(email=None)
 
-    with pytest.raises(models.Identity.DoesNotExist) as excinfo:
+    with pytest.raises(ValueError) as excinfo:
         user.email_user("my subject", "my message")
 
-    assert str(excinfo.value) == "Identity matching query does not exist."
+    assert str(excinfo.value) == "User has no email address."

src/backend/core/tests/utils.py

@@ -7,15 +7,9 @@ class OIDCToken(AccessToken):
 
     @classmethod
     def for_user(cls, user):
-        token = super().for_user(user)
-        identity = user.identities.filter(is_main=True).first()
-        token["first_name"] = (
-            user.profile_contact.short_name if user.profile_contact else "David"
-        )
-        token["last_name"] = (
-            " ".join(user.profile_contact.full_name.split()[1:])
-            if user.profile_contact
-            else "Bowman"
-        )
-        token["email"] = identity.email
+        """Returns an authorization token for the given user for testing."""
+        token = cls()
+        token["sub"] = str(user.sub)
+        token["email"] = user.email
+
         return token