takahe/tests/activities/views/test_posts.py

26 lines
777 B
Python
Raw Normal View History

import pytest
2022-11-27 18:09:46 +00:00
from django.core.exceptions import PermissionDenied
2022-11-27 18:09:46 +00:00
from activities.models import Post
2022-12-02 23:46:43 +00:00
from activities.views.posts import Delete
2022-11-27 18:09:46 +00:00
@pytest.mark.django_db
def test_post_delete_security(identity, user, rf, other_identity):
# Create post
other_post = Post.objects.create(
content="<p>OTHER POST!</p>",
author=other_identity,
local=True,
visibility=Post.Visibilities.public,
)
request = rf.post(other_post.get_absolute_url() + "delete/")
request.user = user
request.identity = identity
view = Delete.as_view()
with pytest.raises(PermissionDenied) as ex:
view(request, handle=other_identity.handle.lstrip("@"), post_id=other_post.id)
assert str(ex.value) == "Post author is not requestor"