Only allow users to submit activities for related residents

GeriLife · brylie · Jan 5, 2024 · Jan 4, 2024 · Jan 4, 2024 · Jan 4, 2024
commit 2bae701d1d7508f80beca97f35ad5dc3f6ffb7dc
diff --git a/activities/views.py b/activities/views.py
@@ -59,6 +59,9 @@ def post(self, request, *args, **kwargs):
             # generate group activity ID based on current epoch time
             group_activity_id = uuid.uuid4()
 
+            if not request.user.can_manage_residents(resident_ids):
+                return self.handle_no_permission()
+
             for resident_id in resident_ids:
                 try:
                     resident = Resident.objects.get(id=resident_id)

diff --git a/metrics/tests.py b/metrics/tests.py
@@ -98,7 +98,7 @@ def test_resident_activity_form_view_create_multiple_resident_activity(self):
 
         activity_residents = [self.resident1.id, self.resident2.id]
         # Prepare data for POST request
-        self.data = {
+        data = {
             "residents": activity_residents,
             "activity_date": date.today(),
             "activity_type": ResidentActivity.ActivityTypeChoices.OUTDOOR,
@@ -112,7 +112,7 @@ def test_resident_activity_form_view_create_multiple_resident_activity(self):
         # Make POST request
         response = self.client.post(
             self.url,
-            self.data,
+            data,
         )
 
         # The response should indicate a successful form submission
@@ -151,7 +151,7 @@ def test_activity_rollback_on_residency_exception(self):
         resident_activity_count_pre = ResidentActivity.objects.all().count()
 
         # Prepare data for POST request with a resident that does not have a residency
-        self.data = {
+        data = {
             "residents": [non_resident.id],
             "activity_type": ResidentActivity.ActivityTypeChoices.OUTDOOR,
             "activity_date": date.today(),
@@ -165,7 +165,7 @@ def test_activity_rollback_on_residency_exception(self):
         # Make POST request
         response = self.client.post(
             self.url,
-            self.data,
+            data,
         )
 
         # The response should indicate a failure to process the form
@@ -191,6 +191,35 @@ def test_activity_rollback_on_residency_exception(self):
         # Ensure counts have not changed, indicating a rollback
         self.assertEqual(resident_activity_count_pre, resident_activity_count_post)
 
+    def test_general_user_get_403_on_post(self):
+        """Test that a general user gets a 403 response.
+
+        I.e., the user should not be associated with any residents and
+        so should not be authorized to submit the form.
+        """
+        # log in general user
+        self.client.force_login(self.general_user)
+
+        data = {
+            "residents": [self.resident1.id],
+            "activity_type": ResidentActivity.ActivityTypeChoices.OUTDOOR,
+            "activity_date": date.today(),
+            "activity_minutes": 30,
+            "caregiver_role": ResidentActivity.CaregiverRoleChoices.NURSE,
+        }
+
+        # Make POST request
+        response = self.client.post(
+            self.url,
+            data,
+        )
+
+        # The response should indicate a failure to process the form
+        self.assertEqual(
+            response.status_code,
+            HTTPStatus.FORBIDDEN,
+        )
+
 
 class ResidentDataPreparationTest(TestCase):
     def setUp(self):