diff --git a/backend/requirements.txt b/backend/requirements.txt index 346da44..7576862 100644 --- a/backend/requirements.txt +++ b/backend/requirements.txt @@ -6,11 +6,13 @@ cffi==1.16.0 charset-normalizer==3.3.2 click==8.1.7 colorama==0.4.6 +coverage==7.7.1 cryptography==42.0.8 Django==4.0.8 django-cors-headers==3.13.0 django-rest-knox==5.0.0 djangorestframework==3.13.1 +djangorestframework-simplejwt==5.3.1 dynaconf==3.2.5 hvac==2.3.0 idna==3.7 @@ -31,4 +33,3 @@ tzdata==2024.1 urllib3==2.2.2 validators==0.33.0 win32-setctime==1.1.0 -djangorestframework-simplejwt==5.3.1 diff --git a/backend/tests/test_tc005.py b/backend/tests/test_tc005.py new file mode 100644 index 0000000..dcfc667 --- /dev/null +++ b/backend/tests/test_tc005.py @@ -0,0 +1,92 @@ +from rest_framework.test import APIClient +from django.test import TestCase +from workouts.models import Exercise, Workout +from django.contrib.auth import get_user_model +from django.urls import reverse +from rest_framework import status +from django.utils import timezone +import datetime + +class TestTC005(TestCase): + """ + When an athlete wants to view the list of all workouts, they only get displayed workouts they own or are public. This creates three classes: + A workout they own + A workout they do not own and is public + A workout they do not own and is not public + The athlete should only be able to view the first two workouts. + """ + + def setUp(self): + # Create users + User = get_user_model() + self.athlete = User.objects.create_user( + username='athlete', + email='athlete@example.com', + password='password123' + ) + self.other_user = User.objects.create_user( + username='otheruser', + email='other@example.com', + password='password123' + ) + + # Use timezone-aware datetime objects + date = timezone.make_aware(datetime.datetime(2023, 1, 1)) + + # Create workouts + # 1. Workout owned by athlete + self.athlete_workout = Workout.objects.create( + name='Athlete Workout', + owner=self.athlete, + date=date, + notes='This is my workout', + visibility='PU' # Public by default, but owned by athlete + ) + + # 2. Public workout owned by other user + self.public_workout = Workout.objects.create( + name='Public Workout', + owner=self.other_user, + date=date, + notes='This is a public workout', + visibility='PU' # Public + ) + + # 3. Private workout owned by other user + self.private_workout = Workout.objects.create( + name='Private Workout', + owner=self.other_user, + date=date, + notes='This is a private workout', + visibility='PR' # Private + ) + + # Set up API client + self.client = APIClient() + + def test_athlete_can_only_view_own_and_public_workouts(self): + """Test that athletes can only see their own workouts and public workouts.""" + # Login as the athlete + self.client.force_authenticate(user=self.athlete) + + # Get the list of workouts + url = reverse('workout-list') + response = self.client.get(url) + + # Check response status + self.assertEqual(response.status_code, status.HTTP_200_OK) + + # Get the workout IDs from the response + workout_ids = [workout['id'] for workout in response.data] + + # Verify the athlete can see their own workout + self.assertIn(self.athlete_workout.id, workout_ids) + + # Verify the athlete can see public workouts from other users + self.assertIn(self.public_workout.id, workout_ids) + + # Verify the athlete cannot see private workouts from other users + self.assertNotIn(self.private_workout.id, workout_ids) + + # Verify only two workouts are returned (owned + public) + self.assertEqual(len(workout_ids), 2) \ No newline at end of file