@@ -97,6 +97,23 @@ def test_api_documents_ask_for_access_create_authenticated():
9797 assert document .title .lower () in email_subject .lower ()
9898
9999
100+ def test_api_documents_ask_for_access_create_authenticated_non_root_document ():
101+ """
102+ Authenticated users should not be able to create a document ask for access on a non-root
103+ document.
104+ """
105+ parent = DocumentFactory ()
106+ child = DocumentFactory (parent = parent )
107+
108+ user = UserFactory ()
109+
110+ client = APIClient ()
111+ client .force_login (user )
112+
113+ response = client .post (f"/api/v1.0/documents/{ child .id } )
114+ assert response .status_code == 404
115+
116+
100117def test_api_documents_ask_for_access_create_authenticated_specific_role ():
101118 """
102119 Authenticated users should be able to create a document ask for access with a specific role.
@@ -196,6 +213,20 @@ def test_api_documents_ask_for_access_list_authenticated():
196213 }
197214
198215
216+ def test_api_documents_ask_for_access_list_authenticated_non_root_document ():
217+ """
218+ Authenticated users should not be able to list document ask for access on a non-root document.
219+ """
220+ parent = DocumentFactory ()
221+ child = DocumentFactory (parent = parent )
222+
223+ client = APIClient ()
224+ client .force_login (UserFactory ())
225+
226+ response = client .get (f"/api/v1.0/documents/{ child .id } )
227+ assert response .status_code == 404
228+
229+
199230def test_api_documents_ask_for_access_list_authenticated_own_request ():
200231 """Authenticated users should be able to list their own document ask for access."""
201232 document = DocumentFactory ()
@@ -289,7 +320,7 @@ def test_api_documents_ask_for_access_list_non_owner_or_admin(role):
289320 }
290321
291322
292- @pytest .mark .parametrize ("role" , [RoleChoices .OWNER ])
323+ @pytest .mark .parametrize ("role" , [RoleChoices .OWNER , RoleChoices . ADMIN ])
293324def test_api_documents_ask_for_access_list_owner_or_admin (role ):
294325 """Owner or admin users should be able to list document ask for access."""
295326 user = UserFactory ()
@@ -329,6 +360,23 @@ def test_api_documents_ask_for_access_list_owner_or_admin(role):
329360 }
330361
331362
363+ @pytest .mark .parametrize ("role" , [RoleChoices .OWNER , RoleChoices .ADMIN ])
364+ def test_api_documents_ask_for_access_list_admin_non_root_document (role ):
365+ """
366+ Authenticated users should not be able to list document ask for access on a non-root document.
367+ """
368+ user = UserFactory ()
369+ parent = DocumentFactory (users = [(user , role )])
370+ child = DocumentFactory (parent = parent , users = [(user , role )])
371+ DocumentAskForAccessFactory .create_batch (3 , document = child , role = RoleChoices .READER )
372+
373+ client = APIClient ()
374+ client .force_login (user )
375+
376+ response = client .get (f"/api/v1.0/documents/{ child .id } )
377+ assert response .status_code == 404
378+
379+
332380## Retrieve
333381
334382
@@ -415,6 +463,28 @@ def test_api_documents_ask_for_access_retrieve_owner_or_admin(role):
415463 }
416464
417465
466+ @pytest .mark .parametrize ("role" , [RoleChoices .OWNER , RoleChoices .ADMIN ])
467+ def test_api_documents_ask_for_access_retrieve_authenticated_non_root_document (role ):
468+ """
469+ Authenticated users should not be able to retrieve document ask for access on a non-root
470+ document.
471+ """
472+ user = UserFactory ()
473+ parent = DocumentFactory (users = [(user , role )])
474+ child = DocumentFactory (parent = parent , users = [(user , role )])
475+ document_ask_for_access = DocumentAskForAccessFactory (
476+ document = child , role = RoleChoices .READER
477+ )
478+
479+ client = APIClient ()
480+ client .force_login (user )
481+
482+ response = client .get (
483+ f"/api/v1.0/documents/{ child .id } { document_ask_for_access .id }
484+ )
485+ assert response .status_code == 404
486+
487+
418488## Delete
419489
420490
@@ -487,6 +557,28 @@ def test_api_documents_ask_for_access_delete_owner_or_admin(role):
487557 ).exists ()
488558
489559
560+ @pytest .mark .parametrize ("role" , [RoleChoices .OWNER , RoleChoices .ADMIN ])
561+ def test_api_documents_ask_for_access_delete_authenticated_non_root_document (role ):
562+ """
563+ Authenticated users should not be able to delete document ask for access on a non-root
564+ document.
565+ """
566+ user = UserFactory ()
567+ parent = DocumentFactory (users = [(user , role )])
568+ child = DocumentFactory (parent = parent , users = [(user , role )])
569+ document_ask_for_access = DocumentAskForAccessFactory (
570+ document = child , role = RoleChoices .READER
571+ )
572+
573+ client = APIClient ()
574+ client .force_login (user )
575+
576+ response = client .delete (
577+ f"/api/v1.0/documents/{ child .id } { document_ask_for_access .id }
578+ )
579+ assert response .status_code == 404
580+
581+
490582## Accept
491583
492584
@@ -654,3 +746,25 @@ def test_api_documents_ask_for_access_accept_authenticated_owner_or_admin_update
654746 ).exists ()
655747 document_access .refresh_from_db ()
656748 assert document_access .role == RoleChoices .ADMIN
749+
750+
751+ @pytest .mark .parametrize ("role" , [RoleChoices .OWNER , RoleChoices .ADMIN ])
752+ def test_api_documents_ask_for_access_accept_authenticated_non_root_document (role ):
753+ """
754+ Authenticated users should not be able to accept document ask for access on a non-root
755+ document.
756+ """
757+ user = UserFactory ()
758+ parent = DocumentFactory (users = [(user , role )])
759+ child = DocumentFactory (parent = parent , users = [(user , role )])
760+ document_ask_for_access = DocumentAskForAccessFactory (
761+ document = child , role = RoleChoices .READER
762+ )
763+
764+ client = APIClient ()
765+ client .force_login (user )
766+
767+ response = client .post (
768+ f"/api/v1.0/documents/{ child .id } { document_ask_for_access .id }
769+ )
770+ assert response .status_code == 404
0 commit comments