feat: Additional Household Permissions (#4158)

Co-authored-by: Kuchenpirat <24235032+Kuchenpirat@users.noreply.github.com>
2025-07-25 08:09:41 +02:00 · 2024-09-17 10:48:14 -05:00 · 2024-09-17 10:48:14 -05:00 · fd0257c1b8
commit fd0257c1b8
parent b1820f9b23
37 changed files with 690 additions and 185 deletions
--- a/tests/integration_tests/admin_tests/test_admin_household_actions.py
+++ b/tests/integration_tests/admin_tests/test_admin_household_actions.py
@ -42,6 +42,7 @@ def test_admin_update_household(api_client: TestClient, admin_user: TestUser, un
        "name": "New Name",
        "preferences": {
            "privateHousehold": random_bool(),
+            "lockRecipeEditsFromOtherHouseholds": random_bool(),
            "firstDayOfWeek": 2,
            "recipePublic": random_bool(),
            "recipeShowNutrition": random_bool(),
--- a/tests/integration_tests/user_group_tests/test_group_self_service.py
+++ b/tests/integration_tests/user_group_tests/test_group_self_service.py
@ -33,16 +33,19 @@ def test_get_group_members_filtered(api_client: TestClient, unique_user: TestUse
    assert str(h2_user.user_id) in all_ids


-def test_get_households(api_client: TestClient, admin_user: TestUser):
-    households = [admin_user.repos.households.create({"name": random_string()}) for _ in range(5)]
-    response = api_client.get(api_routes.groups_households, headers=admin_user.token)
+def test_get_households(unfiltered_database: AllRepositories, api_client: TestClient, unique_user: TestUser):
+    households = [
+        unfiltered_database.households.create({"name": random_string(), "group_id": unique_user.group_id})
+        for _ in range(5)
+    ]
+    response = api_client.get(api_routes.groups_households, headers=unique_user.token)
    response_ids = [item["id"] for item in response.json()]
    for household in households:
        assert str(household.id) in response_ids


-def test_get_households_filtered(unfiltered_database: AllRepositories, api_client: TestClient, admin_user: TestUser):
-    group_1_id = admin_user.group_id
+def test_get_households_filtered(unfiltered_database: AllRepositories, api_client: TestClient, unique_user: TestUser):
+    group_1_id = unique_user.group_id
    group_2_id = str(unfiltered_database.groups.create({"name": random_string()}).id)

    group_1_households = [
@ -54,9 +57,24 @@ def test_get_households_filtered(unfiltered_database: AllRepositories, api_clien
        for _ in range(random_int(2, 5))
    ]

-    response = api_client.get(api_routes.groups_households, headers=admin_user.token)
+    response = api_client.get(api_routes.groups_households, headers=unique_user.token)
    response_ids = [item["id"] for item in response.json()]
    for household in group_1_households:
        assert str(household.id) in response_ids
    for household in group_2_households:
        assert str(household.id) not in response_ids
+
+
+def test_get_household(unfiltered_database: AllRepositories, api_client: TestClient, unique_user: TestUser):
+    group_1_id = unique_user.group_id
+    group_2_id = str(unfiltered_database.groups.create({"name": random_string()}).id)
+
+    group_1_household = unfiltered_database.households.create({"name": random_string(), "group_id": group_1_id})
+    group_2_household = unfiltered_database.households.create({"name": random_string(), "group_id": group_2_id})
+
+    response = api_client.get(api_routes.groups_households_slug(group_1_household.slug), headers=unique_user.token)
+    assert response.status_code == 200
+    assert response.json()["id"] == str(group_1_household.id)
+
+    response = api_client.get(api_routes.groups_households_slug(group_2_household.slug), headers=unique_user.token)
+    assert response.status_code == 404
--- a/tests/integration_tests/user_household_tests/test_household_perferences.py
+++ b/tests/integration_tests/user_household_tests/test_household_perferences.py
@ -31,17 +31,33 @@ def test_preferences_in_household(api_client: TestClient, unique_user: TestUser)
    assert household["preferences"]["recipeShowNutrition"] in {True, False}


-def test_update_preferences(api_client: TestClient, unique_user: TestUser) -> None:
+def test_update_preferences_no_permission(api_client: TestClient, user_tuple: list[TestUser]) -> None:
+    unique_user, other_user = user_tuple
+
+    user = other_user.repos.users.get_one(unique_user.user_id)
+    assert user
+    user.can_manage_household = False
+    other_user.repos.users.update(user.id, user)
+
    new_data = UpdateHouseholdPreferences(recipe_public=random_bool(), recipe_show_nutrition=random_bool())
-
    response = api_client.put(api_routes.households_preferences, json=new_data.model_dump(), headers=unique_user.token)
+    assert response.status_code == 403

+
+def test_update_preferences(api_client: TestClient, user_tuple: list[TestUser]) -> None:
+    unique_user, other_user = user_tuple
+
+    user = other_user.repos.users.get_one(unique_user.user_id)
+    assert user
+    user.can_manage_household = True
+    other_user.repos.users.update(user.id, user)
+
+    new_data = UpdateHouseholdPreferences(recipe_public=random_bool(), recipe_show_nutrition=random_bool())
+    response = api_client.put(api_routes.households_preferences, json=new_data.model_dump(), headers=unique_user.token)
    assert response.status_code == 200

    preferences = response.json()
-
    assert preferences is not None
    assert preferences["recipePublic"] == new_data.recipe_public
    assert preferences["recipeShowNutrition"] == new_data.recipe_show_nutrition
-
    assert_ignore_keys(new_data.model_dump(by_alias=True), preferences, ["id", "householdId"])
--- a/tests/integration_tests/user_household_tests/test_household_permissions.py
+++ b/tests/integration_tests/user_household_tests/test_household_permissions.py
@ -7,10 +7,11 @@ from tests.utils.factories import random_bool
 from tests.utils.fixture_schemas import TestUser


-def get_permissions_payload(user_id: str, can_manage=None) -> dict:
+def get_permissions_payload(user_id: str, can_manage=None, can_manage_household=None) -> dict:
    return {
        "user_id": user_id,
        "can_manage": random_bool() if can_manage is None else can_manage,
+        "can_manage_household": random_bool(),
        "can_invite": random_bool(),
        "can_organize": random_bool(),
    }
--- a/tests/integration_tests/user_recipe_tests/test_recipe_cross_household.py
+++ b/tests/integration_tests/user_recipe_tests/test_recipe_cross_household.py
@ -86,13 +86,20 @@ def test_get_one_recipe_from_another_household(


@pytest.mark.parametrize("is_private_household", [True, False])
+@pytest.mark.parametrize("household_lock_recipe_edits", [True, False])
@pytest.mark.parametrize("use_patch", [True, False])
-def test_prevent_updates_to_recipes_from_other_households(
-    api_client: TestClient, unique_user: TestUser, h2_user: TestUser, is_private_household: bool, use_patch: bool
+def test_update_recipes_in_other_households(
+    api_client: TestClient,
+    unique_user: TestUser,
+    h2_user: TestUser,
+    is_private_household: bool,
+    household_lock_recipe_edits: bool,
+    use_patch: bool,
 ):
    household = unique_user.repos.households.get_one(h2_user.household_id)
    assert household and household.preferences
    household.preferences.private_household = is_private_household
+    household.preferences.lock_recipe_edits_from_other_households = household_lock_recipe_edits
    unique_user.repos.household_preferences.update(household.id, household.preferences)

    original_name = random_string()
@ -110,23 +117,39 @@ def test_prevent_updates_to_recipes_from_other_households(
    updated_name = random_string()
    recipe["name"] = updated_name
    client_func = api_client.patch if use_patch else api_client.put
-    response = client_func(api_routes.recipes_slug(recipe["slug"]), json=recipe, headers=unique_user.token)
-    assert response.status_code == 403
+    response = client_func(api_routes.recipes_slug(recipe["id"]), json=recipe, headers=unique_user.token)

-    # confirm the recipe is unchanged
-    response = api_client.get(api_routes.recipes_slug(recipe["slug"]), headers=unique_user.token)
-    assert response.status_code == 200
-    updated_recipe = response.json()
-    assert updated_recipe["name"] == original_name != updated_name
+    if household_lock_recipe_edits:
+        assert response.status_code == 403
+
+        # confirm the recipe is unchanged
+        response = api_client.get(api_routes.recipes_slug(recipe["id"]), headers=unique_user.token)
+        assert response.status_code == 200
+        updated_recipe = response.json()
+        assert updated_recipe["name"] == original_name != updated_name
+    else:
+        assert response.status_code == 200
+
+        # confirm the recipe was updated
+        response = api_client.get(api_routes.recipes_slug(recipe["id"]), headers=unique_user.token)
+        assert response.status_code == 200
+        updated_recipe = response.json()
+        assert updated_recipe["name"] == updated_name != original_name


@pytest.mark.parametrize("is_private_household", [True, False])
-def test_prevent_deletes_to_recipes_from_other_households(
-    api_client: TestClient, unique_user: TestUser, h2_user: TestUser, is_private_household: bool
+@pytest.mark.parametrize("household_lock_recipe_edits", [True, False])
+def test_delete_recipes_from_other_households(
+    api_client: TestClient,
+    unique_user: TestUser,
+    h2_user: TestUser,
+    is_private_household: bool,
+    household_lock_recipe_edits: bool,
 ):
    household = unique_user.repos.households.get_one(h2_user.household_id)
    assert household and household.preferences
    household.preferences.private_household = is_private_household
+    household.preferences.lock_recipe_edits_from_other_households = household_lock_recipe_edits
    unique_user.repos.household_preferences.update(household.id, household.preferences)

    response = api_client.post(api_routes.recipes, json={"name": random_string()}, headers=h2_user.token)
@ -141,21 +164,34 @@ def test_prevent_deletes_to_recipes_from_other_households(
    assert recipe_json["id"] == h2_recipe_id

    response = api_client.delete(api_routes.recipes_slug(recipe_json["slug"]), headers=unique_user.token)
-    assert response.status_code == 403
+    if household_lock_recipe_edits:
+        assert response.status_code == 403

-    # confirm the recipe still exists
-    response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_user.token)
-    assert response.status_code == 200
-    assert response.json()["id"] == h2_recipe_id
+        # confirm the recipe still exists
+        response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_user.token)
+        assert response.status_code == 200
+        assert response.json()["id"] == h2_recipe_id
+    else:
+        assert response.status_code == 200
+
+        # confirm the recipe was deleted
+        response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_user.token)
+        assert response.status_code == 404


@pytest.mark.parametrize("is_private_household", [True, False])
+@pytest.mark.parametrize("household_lock_recipe_edits", [True, False])
 def test_user_can_update_last_made_on_other_household(
-    api_client: TestClient, unique_user: TestUser, h2_user: TestUser, is_private_household: bool
+    api_client: TestClient,
+    unique_user: TestUser,
+    h2_user: TestUser,
+    is_private_household: bool,
+    household_lock_recipe_edits: bool,
 ):
    household = unique_user.repos.households.get_one(h2_user.household_id)
    assert household and household.preferences
    household.preferences.private_household = is_private_household
+    household.preferences.lock_recipe_edits_from_other_households = household_lock_recipe_edits
    unique_user.repos.household_preferences.update(household.id, household.preferences)

    response = api_client.post(api_routes.recipes, json={"name": random_string()}, headers=h2_user.token)