wrote tests for user.py and fixed bugs, passing all 10

Author: ElaineShu0312

csm_web/frontend/src/utils/queries/base.tsx

@@ -41,9 +41,9 @@ export const useProfiles = (): UseQueryResult<Profile[], Error> => {
  */
 export const useUserInfo = (): UseQueryResult<RawUserInfo, Error> => {
   const queryResult = useQuery<RawUserInfo, Error>(
-    ["userinfo"],
+    ["user"],
     async () => {
-      const response = await fetchNormalized("/userinfo");
+      const response = await fetchNormalized("/user");
       if (response.ok) {
         return await response.json();
       } else {

csm_web/scheduler/models.py

@@ -53,6 +53,7 @@ class User(AbstractUser):
 
     pronouns = models.CharField(max_length=20, default="", blank=True)
     pronunciation = models.CharField(max_length=50, default="", blank=True)
+    # xTODO: configure to use the Django Settings bucket backend
     # profile_pic = models.ImageField(upload_to='profiles/', null=True, blank=True)
     # if profile picture is implemented
     bio = models.CharField(max_length=500, default="", blank=True)

csm_web/scheduler/tests/models/test_user.py

@@ -1,10 +1,23 @@
-import pytest
+import json
 
+import pytest
+from django.urls import reverse
+from scheduler.factories import (
+    CoordinatorFactory,
+    CourseFactory,
+    MentorFactory,
+    SectionFactory,
+    StudentFactory,
+    UserFactory,
+)
 from scheduler.models import User
 
 
 @pytest.mark.django_db
 def test_create_user():
+    """
+    Test that a user can be created.
+    """
     email = "test@berkeley.edu"
     username = "test"
     user, created = User.objects.get_or_create(email=email, username=username)
@@ -13,3 +26,194 @@ def test_create_user():
     assert user.username == username
     assert User.objects.count() == 1
     assert User.objects.get(email=email).username == username
+
+
+# avoid pylint warning redefining name in outer scope
+@pytest.fixture(name="setup_permissions")
+def fixture_setup_permissions():
+    """
+    Setup users, courses, and sections for testing permissions
+    """
+    student_user = UserFactory(username="student_user")
+    other_student_user = UserFactory(username="other_student_user")
+    mentor_user = UserFactory(username="mentor_user")
+    other_mentor_user = UserFactory(username="other_mentor_user")
+    coordinator_user = UserFactory(username="coordinator_user")
+
+    # Create courses
+    course_a = CourseFactory(name="course_a")
+    course_b = CourseFactory(name="course_b")
+
+    # Assign mentors to courses
+    mentor_a = MentorFactory(user=mentor_user, course=course_a)
+    mentor_b = MentorFactory(user=other_mentor_user, course=course_b)
+    coordinator = CoordinatorFactory(user=coordinator_user, course=course_a)
+
+    # Create sections associated with the correct course via the mentor
+    section_a1 = SectionFactory(mentor=mentor_a)
+    section_b1 = SectionFactory(mentor=mentor_b)
+
+    # Ensure students are enrolled in sections that match their course
+    student_a1 = StudentFactory(user=student_user, section=section_a1, course=course_a)
+    other_student_a1 = StudentFactory(
+        user=other_student_user, section=section_a1, course=course_a
+    )
+
+    return {
+        "student_user": student_user,
+        "other_student_user": other_student_user,
+        "mentor_user": mentor_user,
+        "other_mentor_user": other_mentor_user,
+        "coordinator_user": coordinator,
+        "course_a": course_a,
+        "course_b": course_b,
+        "section_a1": section_a1,
+        "section_b1": section_b1,
+        "student_a1": student_a1,
+        "other_student_a1": other_student_a1,
+    }
+
+
+###############
+# Student tests
+###############
+
+
+@pytest.mark.django_db
+def test_student_view_own_profile(client, setup_permissions):
+    """
+    Test that a student can view their own profile.
+    """
+    student_user = setup_permissions["student_user"]
+    client.force_login(student_user)
+
+    response = client.get(reverse("user_retrieve", kwargs={"pk": student_user.pk}))
+    assert response.status_code == 200
+    assert response.data["email"] == student_user.email
+
+
+@pytest.mark.django_db
+def test_student_view_other_student_in_same_section(client, setup_permissions):
+    """
+    Test that a student can view another student in the same section.
+    """
+    student = setup_permissions["student_user"]
+    other_student = setup_permissions["other_student_user"]
+    client.force_login(student)
+    response = client.get(reverse("user_retrieve", kwargs={"pk": other_student.pk}))
+    assert response.status_code == 200
+    assert response.data["email"] == other_student.email
+
+
+@pytest.mark.django_db
+def test_student_view_mentors(client, setup_permissions):
+    """
+    Test that a student can view a mentor's profile.
+    """
+    student = setup_permissions["student_user"]
+    mentor = setup_permissions["mentor_user"]
+    client.force_login(student)
+    response = client.get(reverse("user_retrieve", kwargs={"pk": mentor.pk}))
+    assert response.status_code == 200
+    assert response.data["email"] == mentor.email
+
+
+@pytest.mark.django_db
+def test_student_edit_own_profile(client, setup_permissions):
+    """
+    Test that a student can edit their own profile.
+    """
+    student = setup_permissions["student_user"]
+    client.force_login(student)
+    edit_url = reverse("user_update", kwargs={"pk": student.pk})
+    response = client.put(
+        edit_url,
+        data=json.dumps({"first_name": "NewName"}),
+        content_type="application/json",
+    )
+    assert response.status_code == 200
+    student.refresh_from_db()
+    assert student.first_name == "NewName"
+
+
+##############
+# Mentor tests
+##############
+@pytest.mark.django_db
+def test_mentor_view_own_profile(client, setup_permissions):
+    """
+    Test that a mentor can view their own profile.
+    """
+    mentor_user = setup_permissions["mentor_user"]
+    client.force_login(mentor_user)
+
+    response = client.get(reverse("user_retrieve", kwargs={"pk": mentor_user.pk}))
+    assert response.status_code == 200
+    assert response.data["email"] == mentor_user.email
+
+
+@pytest.mark.django_db
+def test_mentor_view_students_in_course(client, setup_permissions):
+    """
+    Test that a mentor can view student profiles in the course they teach.
+    """
+    mentor_user = setup_permissions["mentor_user"]
+    student_user = setup_permissions["student_user"]
+    client.force_login(mentor_user)
+
+    response = client.get(reverse("user_retrieve", kwargs={"pk": student_user.pk}))
+    assert response.status_code == 200
+    assert response.data["email"] == student_user.email
+
+
+@pytest.mark.django_db
+def test_mentor_cannot_edit_other_profiles(client, setup_permissions):
+    """
+    Test that a mentor cannot edit another student's or mentor's profile.
+    """
+    mentor_user = setup_permissions["mentor_user"]
+    other_student_user = setup_permissions["other_student_user"]
+    client.force_login(mentor_user)
+    response = client.put(
+        reverse("user_update", kwargs={"pk": other_student_user.pk}),
+        data=json.dumps({"first_name": "new_username"}),
+        content_type="application/json",
+    )
+    assert response.status_code == 403
+
+
+###################
+# Coordinator tests
+###################
+
+
+@pytest.mark.django_db
+def test_coordinator_view_all_profiles_in_course(client, setup_permissions):
+    """
+    Test that a coordinator can view all profiles in the course they coordinate.
+    """
+    coordinator_user = setup_permissions["coordinator_user"]
+    student_user = setup_permissions["student_user"]
+    client.force_login(coordinator_user)
+
+    response = client.get(reverse("user_retrieve", kwargs={"pk": student_user.pk}))
+    assert response.status_code == 200
+
+
+@pytest.mark.django_db
+def test_coordinator_edit_all_profiles_in_course(client, setup_permissions):
+    """
+    Test that a coordinator can edit all profiles in the course they coordinate.
+    """
+    coordinator_user = setup_permissions["coordinator_user"]
+    student_user = setup_permissions["student_user"]
+    client.force_login(coordinator_user)
+
+    response = client.put(
+        reverse("user_update", kwargs={"pk": student_user.pk}),
+        data=json.dumps({"first_name": "new_student_name"}),
+        content_type="application/json",
+    )
+    assert response.status_code == 200
+    student_user.refresh_from_db()
+    assert student_user.first_name == "new_student_name"

csm_web/scheduler/urls.py

@@ -15,7 +15,7 @@
 urlpatterns = router.urls
 
 urlpatterns += [
-    path("user_info/", views.user_info, name="user_info"),
+    path("user/", views.user_info, name="user"),
     path("user/<int:pk>/", views.user_retrieve, name="user_retrieve"),
     path("user/<int:pk>/update/", views.user_update, name="user_update"),
     path("matcher/active/", views.matcher.active),

csm_web/scheduler/views/user.py

@@ -37,6 +37,10 @@ def has_permission(request_user, target_user):
     if request_user == target_user:
         return True
 
+    # if the target user is a mentor, return True
+    if Mentor.objects.filter(user=target_user).exists():
+        return True
+
     # if requestor is a student, get all the sections they are in
     # if the target user is a student in any of those sections, return True
     if Student.objects.filter(user=request_user).exists():
@@ -51,14 +55,14 @@ def has_permission(request_user, target_user):
                 return True
 
         # if the target user is a mentor in any of the courses the student is in, return True
-        if Mentor.objects.filter(user=target_user).exists():
-            target_user_courses = Mentor.objects.filter(user=target_user).values_list(
-                "course", flat=True
-            )
-            if Student.objects.filter(
-                user=request_user, course__in=target_user_courses
-            ).exists():
-                return True
+        # if Mentor.objects.filter(user=target_user).exists():
+        #     target_user_courses = Mentor.objects.filter(user=target_user).values_list(
+        #         "course", flat=True
+        #     )
+        #     if Student.objects.filter(
+        #         user=request_user, course__in=target_user_courses
+        #     ).exists():
+        #         return True
 
     # if requestor is a mentor, get all the courses they mentor
     # if the target user is a student or mentor in any of those courses, return True
@@ -69,8 +73,8 @@ def has_permission(request_user, target_user):
 
         if Student.objects.filter(user=target_user, course__in=mentor_courses).exists():
             return True
-        if Mentor.objects.filter(user=target_user, course__in=mentor_courses).exists():
-            return True
+        # if Mentor.objects.filter(user=target_user, course__in=mentor_courses).exists():
+        #     return True
 
     # if requestor is a coordinator, get all the courses they coordinate
     # if the target user is a student or mentor in any of those courses, return True
@@ -82,10 +86,10 @@ def has_permission(request_user, target_user):
             user=target_user, course__in=coordinator_courses
         ).exists():
             return True
-        if Mentor.objects.filter(
-            user=target_user, course__in=coordinator_courses
-        ).exists():
-            return True
+        # if Mentor.objects.filter(
+        #     user=target_user, course__in=coordinator_courses
+        # ).exists():
+        #     return True
         if Coordinator.objects.filter(
             user=target_user, course__in=coordinator_courses
         ).exists():
@@ -122,17 +126,17 @@ def user_update(request, pk):
     except User.DoesNotExist:
         return Response({"detail": "Not found."}, status=status.HTTP_404_NOT_FOUND)
 
-    if not request.user == user:
-        raise PermissionDenied("You do not have permission to edit this profile")
-
-    coordinator_courses = Coordinator.objects.filter(user=request.user).values_list(
-        "course", flat=True
-    )
-
-    if not Coordinator.objects.filter(
-        user=request.user, course_in=coordinator_courses
-    ).exists():
-        raise PermissionDenied("You do not have permission to edit this profile")
+    if request.user == user:
+        pass
+    else:
+        # Check if the user is a coordinator and has permission
+        coordinator_courses = Coordinator.objects.filter(user=request.user).values_list(
+            "course", flat=True
+        )
+        if not Coordinator.objects.filter(
+            user=request.user, course__in=coordinator_courses
+        ).exists():
+            raise PermissionDenied("You do not have permission to edit this profile")
 
     serializer = UserSerializer(user, data=request.data, partial=True)
     if serializer.is_valid():

cypress/e2e/course/restricted-courses.cy.ts

@@ -72,7 +72,7 @@ describe("whitelisted courses", () => {
     cy.login();
 
     cy.intercept("/api/courses").as("get-courses");
-    cy.intercept("/api/userinfo").as("get-userinfo");
+    cy.intercept("/api/user").as("get-user");
 
     cy.visit("/");
     cy.wait("@get-courses");
@@ -82,7 +82,7 @@ describe("whitelisted courses", () => {
 
     // view courses
     cy.contains(".primary-btn", /add course/i).click();
-    cy.wait("@get-userinfo");
+    cy.wait("@get-user");
     cy.contains(".page-title", /which course/i).should("be.visible");
 
     // should have two buttons at the top
@@ -126,7 +126,7 @@ describe("whitelisted courses", () => {
     cy.login();
 
     cy.intercept("/api/courses").as("get-courses");
-    cy.intercept("/api/userinfo").as("get-userinfo");
+    cy.intercept("/api/user").as("get-user");
 
     cy.visit("/");
     cy.wait("@get-courses");
@@ -136,7 +136,7 @@ describe("whitelisted courses", () => {
 
     // view courses
     cy.contains(".primary-btn", /add course/i).click();
-    cy.wait("@get-userinfo");
+    cy.wait("@get-user");
     cy.contains(".page-title", /which course/i).should("be.visible");
 
     // should have two buttons at the top