Implements test_tc005 and adds converage libary

for coverage reporting

backend/requirements.txt

@@ -6,11 +6,13 @@ cffi==1.16.0
 charset-normalizer==3.3.2
 click==8.1.7
 colorama==0.4.6
+coverage==7.7.1
 cryptography==42.0.8
 Django==4.0.8
 django-cors-headers==3.13.0
 django-rest-knox==5.0.0
 djangorestframework==3.13.1
+djangorestframework-simplejwt==5.3.1
 dynaconf==3.2.5
 hvac==2.3.0
 idna==3.7
@@ -31,4 +33,3 @@ tzdata==2024.1
 urllib3==2.2.2
 validators==0.33.0
 win32-setctime==1.1.0
-djangorestframework-simplejwt==5.3.1

backend/tests/test_tc005.py

@@ -0,0 +1,92 @@
+from rest_framework.test import APIClient
+from django.test import TestCase
+from workouts.models import Exercise, Workout
+from django.contrib.auth import get_user_model
+from django.urls import reverse
+from rest_framework import status
+from django.utils import timezone
+import datetime
+
+class TestTC005(TestCase):
+    """
+    When an athlete wants to view the list of all workouts, they only get displayed workouts they own or are public. This creates three classes:
+        A workout they own
+        A workout they do not own and is public
+        A workout they do not own and is not public
+    The athlete should only be able to view the first two workouts.
+    """
+
+    def setUp(self):
+        # Create users
+        User = get_user_model()
+        self.athlete = User.objects.create_user(
+            username='athlete',
+            email='athlete@example.com',
+            password='password123'
+        )
+        self.other_user = User.objects.create_user(
+            username='otheruser',
+            email='other@example.com',
+            password='password123'
+        )
+
+        # Use timezone-aware datetime objects
+        date = timezone.make_aware(datetime.datetime(2023, 1, 1))
+
+        # Create workouts
+        # 1. Workout owned by athlete
+        self.athlete_workout = Workout.objects.create(
+            name='Athlete Workout',
+            owner=self.athlete,
+            date=date,
+            notes='This is my workout',
+            visibility='PU'  # Public by default, but owned by athlete
+        )
+
+        # 2. Public workout owned by other user
+        self.public_workout = Workout.objects.create(
+            name='Public Workout',
+            owner=self.other_user,
+            date=date,
+            notes='This is a public workout',
+            visibility='PU'  # Public
+        )
+
+        # 3. Private workout owned by other user
+        self.private_workout = Workout.objects.create(
+            name='Private Workout',
+            owner=self.other_user,
+            date=date,
+            notes='This is a private workout',
+            visibility='PR'  # Private
+        )
+
+        # Set up API client
+        self.client = APIClient()
+
+    def test_athlete_can_only_view_own_and_public_workouts(self):
+        """Test that athletes can only see their own workouts and public workouts."""
+        # Login as the athlete
+        self.client.force_authenticate(user=self.athlete)
+
+        # Get the list of workouts
+        url = reverse('workout-list')
+        response = self.client.get(url)
+
+        # Check response status
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        # Get the workout IDs from the response
+        workout_ids = [workout['id'] for workout in response.data]
+
+        # Verify the athlete can see their own workout
+        self.assertIn(self.athlete_workout.id, workout_ids)
+
+        # Verify the athlete can see public workouts from other users
+        self.assertIn(self.public_workout.id, workout_ids)
+
+        # Verify the athlete cannot see private workouts from other users
+        self.assertNotIn(self.private_workout.id, workout_ids)
+
+        # Verify only two workouts are returned (owned + public)
+        self.assertEqual(len(workout_ids), 2)