From aa356de62a09f629459b5c2ae6e9a8f5bfa75770 Mon Sep 17 00:00:00 2001
From: Bjarke Madsen <bjarke@nordu.net>
Date: Thu, 7 Sep 2023 15:59:39 +0200
Subject: [PATCH] Test observer functionality in API

---
 test/conftest.py      | 13 +++++++++++++
 test/test_response.py | 30 ++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/test/conftest.py b/test/conftest.py
index 638a3f21..0b14c3dd 100644
--- a/test/conftest.py
+++ b/test/conftest.py
@@ -57,6 +57,19 @@ def mocked_user(app, test_survey_data, mocker):
         yield user
 
 
+@pytest.fixture
+def mocked_observer_user(app, test_survey_data, mocker):
+    with app.app_context():
+        user = User(email='observer123@email.local', fullname='observerfullname',
+                    oidc_sub='fakesub', roles=ROLES.observer)
+
+        db.session.add(user)
+
+        def user_loader(*args):
+            return user
+        mocker.patch('flask_login.utils._get_user', user_loader)
+
+
 @pytest.fixture
 def test_budget_data(app):
     with app.app_context():
diff --git a/test/test_response.py b/test/test_response.py
index a6db8da6..572d0741 100644
--- a/test/test_response.py
+++ b/test/test_response.py
@@ -158,3 +158,33 @@ def test_response_route_lock_prevents_other_edits(app, mocker, client, test_surv
     assert rv.status_code == 403
     result = json.loads(rv.data.decode('utf-8'))
     assert result.get('message') == 'This survey is already locked.'
+
+
+def test_response_routes_observer(app, client, test_survey_data, mocked_observer_user):
+    # observers should not be able to modify surveys, but should be able to view all of them
+
+    rv = client.get(
+        '/api/survey/list',
+        headers={'Accept': ['application/json']})
+    assert rv.status_code == 200
+
+    surveys = json.loads(rv.data.decode('utf-8'))
+    assert surveys
+
+    # load the first survey and check that the observer can view it
+    rv = client.get(
+        f'/api/response/load/{surveys[0]["year"]}/nren1',
+        headers={'Accept': ['application/json']})
+    assert rv.status_code == 200
+
+    # try to lock the first survey and check that the observer can't
+    rv = client.post(
+        f'/api/response/lock/{surveys[0]["year"]}/nren1',
+        headers={'Accept': ['application/json']})
+    assert rv.status_code == 403
+
+    # try to save the first survey and check that the observer can't
+    rv = client.post(
+        f'/api/response/save/{surveys[0]["year"]}/nren1',
+        headers={'Accept': ['application/json']})
+    assert rv.status_code == 403
-- 
GitLab