from rest_framework.test import APITestCase from apps.clients.models import Client from apps.users.models import User from apps.workspaces.models import Workspace, WorkspaceMembership class ClientViewTests(APITestCase): @classmethod def setUpTestData(cls): cls.owner = User.objects.create_user(mobile="09120000011", password="secret123") cls.admin = User.objects.create_user(mobile="09120000012", password="secret123") cls.second_admin = User.objects.create_user(mobile="09120000013", password="secret123") cls.member = User.objects.create_user(mobile="09120000014", password="secret123") cls.guest = User.objects.create_user(mobile="09120000015", password="secret123") cls.outsider = User.objects.create_user(mobile="09120000016", password="secret123") cls.workspace = Workspace.objects.create(name="Clients API", owner=cls.owner) for user, role in ( (cls.admin, WorkspaceMembership.Role.ADMIN), (cls.second_admin, WorkspaceMembership.Role.ADMIN), (cls.member, WorkspaceMembership.Role.MEMBER), (cls.guest, WorkspaceMembership.Role.GUEST), ): WorkspaceMembership.objects.create( workspace=cls.workspace, user=user, role=role, is_active=True, ) cls.other_workspace = Workspace.objects.create(name="Other", owner=cls.outsider) cls.visible_client = Client.objects.create(workspace=cls.workspace, name="Visible") cls.hidden_client = Client.objects.create(workspace=cls.other_workspace, name="Hidden") cls.admin_owned_client = Client.objects.create( workspace=cls.workspace, name="Admin Owned", created_by=cls.admin, updated_by=cls.admin, ) def test_list_only_returns_clients_for_member_workspaces(self): self.client.force_authenticate(user=self.member) response = self.client.get("/api/clients/") self.assertEqual(response.status_code, 200) results = ( response.data if isinstance(response.data, list) else response.data.get("results") or response.data.get("items") or response.data.get("notifications") or [] ) names = {item["name"] for item in results} self.assertIn("Visible", names) self.assertNotIn("Hidden", names) def test_owner_can_create_client(self): self.client.force_authenticate(user=self.owner) response = self.client.post( "/api/clients/", { "workspace_id": str(self.workspace.id), "name": "Created", "notes": "Important", }, format="json", ) self.assertEqual(response.status_code, 201) self.assertEqual(response.data["name"], "Created") def test_member_cannot_create_client(self): self.client.force_authenticate(user=self.member) response = self.client.post( "/api/clients/", { "workspace_id": str(self.workspace.id), "name": "Created", }, format="json", ) self.assertEqual(response.status_code, 403) def test_admin_can_update_client(self): self.client.force_authenticate(user=self.admin) response = self.client.patch( f"/api/clients/{self.visible_client.id}/", {"name": "Renamed"}, format="json", ) self.assertEqual(response.status_code, 200) self.assertEqual(response.data["name"], "Renamed") def test_admin_can_delete_only_client_they_created(self): self.client.force_authenticate(user=self.second_admin) forbidden = self.client.delete(f"/api/clients/{self.admin_owned_client.id}/") self.assertEqual(forbidden.status_code, 403) self.client.force_authenticate(user=self.admin) allowed = self.client.delete(f"/api/clients/{self.admin_owned_client.id}/") self.assertEqual(allowed.status_code, 204) self.assertTrue(Client.all_objects.get(id=self.admin_owned_client.id).is_deleted) def test_owner_can_delete_any_client(self): client = Client.objects.create( workspace=self.workspace, name="Owner Delete", created_by=self.admin, updated_by=self.admin, ) self.client.force_authenticate(user=self.owner) response = self.client.delete(f"/api/clients/{client.id}/") self.assertEqual(response.status_code, 204) self.assertTrue(Client.all_objects.get(id=client.id).is_deleted)