book.settings

2025-01-26 14:48:49 +00:00 · 2023-05-11 11:08:19 +03:00 · 2023-05-11 11:08:19 +03:00 · 1d43f2ae36
commit 1d43f2ae36
parent 1e1c799d41
2 changed files with 35 additions and 5 deletions
--- a/app/views/book.py
+++ b/app/views/book.py
@ -278,13 +278,10 @@ def interpretation_view(


@bp.route("/<int:book_id>/settings", methods=["GET"])
+@register_book_verify_route(bp.name)
@login_required
 def settings(book_id: int):
    book: m.Book = db.session.get(m.Book, book_id)
-    if not book or book.is_deleted or book.owner != current_user:
-        log(log.INFO, "User: [%s] is not owner of book: [%s]", current_user, book)
-        flash("You are not owner of this book!", "danger")
-        return redirect(url_for("book.my_books"))

    return render_template(
        "book/settings.html", book=book, roles=m.BookContributor.Roles
--- a/tests/test_book.py
+++ b/tests/test_book.py
@ -3,7 +3,7 @@ from flask import current_app as Response
 from flask.testing import FlaskClient, FlaskCliRunner

 from app import models as m, db
-from tests.utils import login
+from tests.utils import login, logout


 def test_create_edit_book(client: FlaskClient):
@ -1003,3 +1003,36 @@ def test_crud_comment(client: FlaskClient, runner: FlaskCliRunner):
    assert response.status_code == 200
    assert b"Success" in response.data
    assert str.encode(comment_text) not in response.data
+
+
+def test_access_to_settings_page(client: FlaskClient):
+    _, user = login(client)
+
+    book_1 = m.Book(label="test", about="test").save()
+    book_2 = m.Book(label="test", about="test", user_id=user.id).save()
+
+    response: Response = client.get(
+        f"/book/{book_1.id}/settings",
+        follow_redirects=True,
+    )
+
+    assert response.status_code == 200
+    assert b"You are not owner of this book!" in response.data
+
+    response: Response = client.get(
+        f"/book/{book_2.id}/settings",
+        follow_redirects=True,
+    )
+
+    assert response.status_code == 200
+    assert b"You are not owner of this book!" not in response.data
+
+    logout(client)
+
+    response: Response = client.get(
+        f"/book/{book_2.id}/settings",
+        follow_redirects=True,
+    )
+
+    assert response.status_code == 200
+    assert b"You are not owner of this book!" in response.data