From 6ae195b90c9899ccf8cf61c88e1ede1794ae5c77 Mon Sep 17 00:00:00 2001 From: Marie PUPO JEAMMET Date: Tue, 27 Jan 2026 11:54:39 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A5(cleanup)=20remove=20comment=20from?= =?UTF-8?q?=20permissions=20file?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit remote remaining commented line from previous PR's tests --- .../mailbox_manager/api/permissions.py | 2 +- .../test_api_domain_invitations_delete.py | 21 +++++++++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/src/backend/mailbox_manager/api/permissions.py b/src/backend/mailbox_manager/api/permissions.py index 9a730a1..d67d822 100644 --- a/src/backend/mailbox_manager/api/permissions.py +++ b/src/backend/mailbox_manager/api/permissions.py @@ -26,7 +26,7 @@ class DomainPermission(IsAuthenticated): slug=view.kwargs.get("domain_slug", ""), accesses__user=request.user, ) - # domain = models.MailDomain.objects.get(slug=view.kwargs.get("domain_slug", "")) + abilities = domain.get_abilities(request.user) if request.method.lower() == "delete": return abilities.get("manage_accesses", False) diff --git a/src/backend/mailbox_manager/tests/api/invitations/test_api_domain_invitations_delete.py b/src/backend/mailbox_manager/tests/api/invitations/test_api_domain_invitations_delete.py index c92a83e..db3fd04 100644 --- a/src/backend/mailbox_manager/tests/api/invitations/test_api_domain_invitations_delete.py +++ b/src/backend/mailbox_manager/tests/api/invitations/test_api_domain_invitations_delete.py @@ -1,5 +1,5 @@ """ -Tests for MailDomainInvitations API endpoint in People's app mailbox_manager. +Tests for MailDomainInvitation API endpoint in People's app mailbox_manager. Focus on "delete" action. """ @@ -7,7 +7,7 @@ import pytest from rest_framework import status from rest_framework.test import APIClient -from mailbox_manager import factories +from mailbox_manager import factories, models pytestmark = pytest.mark.django_db @@ -24,6 +24,7 @@ def test_api_domain_invitations__delete__anonymous(): assert response.json() == { "detail": "Authentication credentials were not provided." } + assert models.MailDomainInvitation.objects.count() == 1 def test_api_domain_invitations__delete__no_access_not_found(): @@ -40,6 +41,21 @@ def test_api_domain_invitations__delete__no_access_not_found(): f"/api/v1.0/mail-domains/{domain.slug}/invitations/{invitation.id}/", ) assert response.status_code == status.HTTP_404_NOT_FOUND + assert models.MailDomainInvitation.objects.count() == 1 + + +def test_api_domain_invitations__delete__viewers_forbidden(): + """Domain viewers should not be permitted to delete invitations.""" + access = factories.MailDomainAccessFactory(role="viewer") + invitation = factories.MailDomainInvitationFactory(domain=access.domain) + + client = APIClient() + client.force_login(access.user) + response = client.delete( + f"/api/v1.0/mail-domains/{access.domain.slug}/invitations/{invitation.id}/", + ) + assert response.status_code == status.HTTP_403_FORBIDDEN + assert models.MailDomainInvitation.objects.count() == 1 @pytest.mark.parametrize( @@ -57,3 +73,4 @@ def test_api_domain_invitations__delete_admins_ok(role): f"/api/v1.0/mail-domains/{access.domain.slug}/invitations/{invitation.id}/", ) assert response.status_code == status.HTTP_204_NO_CONTENT + assert not models.MailDomainInvitation.objects.exists()