Add test to check an invoice can't be downloaded by unauthorized user

coin/billing/tests.py

@@ -1,3 +1,81 @@
-from django.test import TestCase
+# -*- coding: utf-8 -*-
+from django.test import TestCase, Client
+from coin.members.tests import MemberTestsUtils
+from coin.members.models import Member, LdapUser
+from coin.billing.models import Invoice
+
 
 # Create your tests here.
+class BillingTests(TestCase):
+
+	def test_download_invoice_pdf_return_a_pdf(self):
+		"""
+		Test que le téléchargement d'une facture en format pdf retourne bien un
+		pdf
+		"""
+		# Créé un membre
+		ldap_cn = MemberTestsUtils.get_random_ldap_cn()
+		member = Member(first_name = 'A', last_name = 'A',
+		                ldap_cn = ldap_cn)
+		member.save()
+		member.change_password('1234')
+
+		# Créé une facture
+		invoice = Invoice(member=member)
+		invoice.save()
+
+		#Se connect en tant que le membre
+		client = Client()
+		client.login(username = ldap_cn, password = '1234')
+		# Tente de télécharger la facture
+		response = client.get('/billing/invoice/%i/pdf' % invoice.id)
+		# Vérifie return code 200 et contient chaine %PDF-1.
+		self.assertContains(response, '%PDF-1.', status_code=200, html=False)
+		LdapUser.objects.get(pk=ldap_cn).delete();
+
+
+	def test_that_only_owner_of_invoice_can_download_it_as_pdf(self):
+		"""
+		Test qu'une facture ne peut pas être téléchargée par quelqu'un qui n'en
+		ait pas le propriétaire.
+		Test qu'une erreur 403 est bien retournée en cas de tentative
+		infructueuse
+		"""
+		# Créé un membre B
+		member_a_login = MemberTestsUtils.get_random_ldap_cn()
+		member_a_pwd = '1234'
+		member_a = Member(first_name = 'A', last_name = 'A',
+		                ldap_cn = member_a_login)
+		member_a.save()
+		member_a.change_password(member_a_pwd)
+
+		# Créé un membre B
+		member_b_login =  MemberTestsUtils.get_random_ldap_cn()
+		member_b_pwd = '1234'
+		member_b = Member(first_name = 'B', last_name = 'B',
+		                ldap_cn = member_b_login)
+		member_b.save()
+		member_b.change_password(member_b_pwd)
+
+		# Créé une facture pour le membre A
+		invoice_a = Invoice(member=member_a)
+		invoice_a.save()
+
+		# Simule une connexion en tant que A
+		client = Client()
+		client.login(username = member_a_login, password = member_a_pwd)
+		# Tente de télécharger la facture de A en tant que A
+		response = client.get('/billing/invoice/%i/pdf' % invoice_a.id)
+		# Vérifie que B a reçu retour OK 200
+		self.assertEqual(response.status_code, 200)
+
+		# Simule une connexion en tant que B
+		client = Client()
+		client.login(username = member_b_login, password = member_b_pwd)
+		# Tente de télécharger la facture de A en tant que B
+		response = client.get('/billing/invoice/%i/pdf' % invoice_a.id)
+		# Vérifie que B a reçu retour Forbidden 403
+		self.assertEqual(response.status_code, 403)
+		
+		LdapUser.objects.get(pk=member_a_login).delete();
+		LdapUser.objects.get(pk=member_b_login).delete();

coin/billing/views.py

@@ -15,11 +15,11 @@ def invoice_pdf(request, id):
     try:
         invoice = Invoice.objects.get(pk=id)
     except:
-        invoice = get_object_or_404(Invoice, number=id)   
-    
-    if not invoice.has_owner(request.user) and not request.user.is_superuser:
+        invoice = get_object_or_404(Invoice, number=id)
+
+    if not invoice.has_owner(request.user.username) and not request.user.is_superuser:
         raise PermissionDenied
-    
+        
     member = invoice.member
 
     context = {"invoice": invoice, 'member':member}