Allow admins to overwrite FCFS decision for POST requests.

Even if FCFS in enabled, admins should be allowed to force a signup to be accepted. This worked as intended for PATCH requests already, and now also works for POST. Fixes #381
amiv-eth · Dec 1, 2019 · 35d3f16 · 35d3f16
1 parent 1476ecb
commit 35d3f16
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 3 deletions.
diff --git a/amivapi/events/queue.py b/amivapi/events/queue.py
@@ -4,7 +4,7 @@
 #          you to buy us beer if we meet and you like the software.
 """Logic to implement different signup queues."""
 
-from flask import current_app
+from flask import current_app, g
 from pymongo import ASCENDING
 
 from amivapi.events.emails import notify_signup_accepted
@@ -65,7 +65,9 @@ def update_waiting_list(event_id):
 def add_accepted_before_insert(signups):
     """Add the accepted field before inserting signups."""
     for signup in signups:
-        signup['accepted'] = False
+        # Admins may provide a value for `accepted`.
+        # If not provided or not admin set it to false`.
+        signup['accepted'] = g.resource_admin and signup.get('accepted', False)
 
 
 def update_waiting_list_after_insert(signups):

diff --git a/amivapi/tests/events/test_queue.py b/amivapi/tests/events/test_queue.py
@@ -4,7 +4,41 @@
 #          you to buy us beer if we meet and you like the software.
 """Test that people are correctly added and removed from the waiting list"""
 
-from amivapi.tests.utils import WebTestNoAuth
+from amivapi.tests.utils import WebTestNoAuth, WebTest
+
+
+class EventsignupQueuePermissionTest(WebTest):
+    def test_fcfs_users_cannot_provide_accepted(self):
+        """Test that with fcfs admins can provide accepted
+        field while normal users cannot"""
+        event = self.new_object('events', spots=1,
+                                selection_strategy='fcfs')
+
+        user1 = self.new_object('users')
+        user2 = self.new_object('users')
+
+        user1_signup = self.api.post('/eventsignups', data={
+            'user': str(user1['_id']),
+            'event': str(event['_id'])
+        }, token=self.get_user_token(user1['_id']), status_code=201).json
+
+        self.assertTrue(user1_signup['accepted'])
+
+        # Check that a normal user cannot provide the accepted field
+        self.api.post('/eventsignups', data={
+            'user': str(user2['_id']),
+            'event': str(event['_id']),
+            'accepted': True
+        }, token=self.get_user_token(user2['_id']), status_code=422)
+
+        # Check that admins can always provide the accepted field
+        user2_signup = self.api.post('/eventsignups', data={
+            'user': str(user2['_id']),
+            'event': str(event['_id']),
+            'accepted': True
+        }, token=self.get_root_token(), status_code=201).json
+
+        self.assertTrue(user2_signup['accepted'])
 
 
 class EventsignupQueueTest(WebTestNoAuth):
@@ -55,6 +89,15 @@ def test_fcfs_users_get_auto_accepted(self):
                                     status_code=200).json
         self.assertTrue(user2_signup['accepted'])
 
+        # post accepted signup as admin
+        user1_signup = self.api.post('/eventsignups', data={
+            'user': str(user1['_id']),
+            'event': str(event['_id']),
+            'accepted': True
+        }, status_code=201).json
+
+        self.assertTrue(user1_signup['accepted'])
+
     def test_fcfs_users_get_auto_accepted_unlimited_spots(self):
         """Test that with fcfs the users get automatically accepted on signup
         for events with unlimited spaces"""