From 74f5c385170e69bd10b7f5922958949a5eb6918d Mon Sep 17 00:00:00 2001
From: Maximilian Moser <maximilian.moser@tuwien.ac.at>
Date: Tue, 15 Nov 2022 15:54:38 +0100
Subject: [PATCH] tests: add tests for the read-only mode

---
 tests/conftest.py                             |  2 +-
 tests/resources/conftest.py                   | 26 ++++++++
 .../events/test_request_events_resources.py   | 65 +++++++++++++++++++
 .../requests/test_requests_resources.py       | 47 +++++++++++++-
 4 files changed, 138 insertions(+), 2 deletions(-)
 create mode 100644 tests/resources/conftest.py

diff --git a/tests/conftest.py b/tests/conftest.py
index be6478af..dcad50d9 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -2,7 +2,7 @@
 #
 # Copyright (C) 2021-2024 CERN.
 # Copyright (C) 2021 Northwestern University.
-# Copyright (C) 2021 TU Wien.
+# Copyright (C) 2021-2024 TU Wien.
 # Copyright (C) 2023 Graz University of Technology.
 #
 # Invenio-Requests is free software; you can redistribute it and/or modify it
diff --git a/tests/resources/conftest.py b/tests/resources/conftest.py
new file mode 100644
index 00000000..58fb6867
--- /dev/null
+++ b/tests/resources/conftest.py
@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2022 TU Wien.
+#
+# Invenio-Requests is free software; you can redistribute it and/or modify it
+# under the terms of the MIT License; see LICENSE file for more details.
+
+"""Pytest configuration.
+
+See https://pytest-invenio.readthedocs.io/ for documentation on which test fixtures
+are available.
+"""
+
+import pytest
+
+
+@pytest.fixture()
+def rw_app(app):
+    """Fixture that resets the read-only mode before and after tests.
+
+    This is done in order to prevent permission issues with other fixtures when the
+    app isn't freshly initialized for each test.
+    """
+    app.config["RECORDS_PERMISSIONS_READ_ONLY"] = False
+    yield app
+    app.config["RECORDS_PERMISSIONS_READ_ONLY"] = False
diff --git a/tests/resources/events/test_request_events_resources.py b/tests/resources/events/test_request_events_resources.py
index 11ea369b..8765f279 100644
--- a/tests/resources/events/test_request_events_resources.py
+++ b/tests/resources/events/test_request_events_resources.py
@@ -2,6 +2,7 @@
 #
 # Copyright (C) 2021 CERN.
 # Copyright (C) 2021 Northwestern University.
+# Copyright (C) 2022-2024 TU Wien.
 #
 # Invenio-Requests is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -215,3 +216,67 @@ def test_empty_comment(
     )
     assert 400 == response.status_code
     assert expected_json == response.json
+
+
+#
+# Read-only mode
+#
+
+
+def test_comment_request_ro(
+    rw_app, client_logged_as, headers, events_resource_data, example_request
+):
+    rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    request_id = example_request.id
+    client = client_logged_as("admin@example.org")
+
+    # Commenting on a request in read-only mode should fail
+    response = client.post(
+        f"/requests/{request_id}/comments", headers=headers, json=events_resource_data
+    )
+    assert response.status_code == 403
+
+
+def test_update_comment_request_ro(
+    rw_app, client_logged_as, headers, events_resource_data, example_request
+):
+    request_id = example_request.id
+    client = client_logged_as("admin@example.org")
+
+    response = client.post(
+        f"/requests/{request_id}/comments", headers=headers, json=events_resource_data
+    )
+    comment_id = response.json["id"]
+    assert response.status_code == 201
+
+    # Updating the comment in read-only mode should fail
+    rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    data = copy.deepcopy(events_resource_data)
+    data["payload"]["content"] = "I've revised my comment."
+    response = client.put(
+        f"/requests/{request_id}/comments/{comment_id}",
+        headers=headers,
+        json=data,
+    )
+    assert response.status_code == 403
+
+
+def test_delete_comment_request_ro(
+    rw_app, client_logged_as, headers, events_resource_data, example_request
+):
+    request_id = example_request.id
+    client = client_logged_as("admin@example.org")
+
+    response = client.post(
+        f"/requests/{request_id}/comments", headers=headers, json=events_resource_data
+    )
+    comment_id = response.json["id"]
+    assert response.status_code == 201
+
+    # Updating the comment in read-only mode should fail
+    rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    response = client.delete(
+        f"/requests/{request_id}/comments/{comment_id}",
+        headers=headers,
+    )
+    assert response.status_code == 403
diff --git a/tests/resources/requests/test_requests_resources.py b/tests/resources/requests/test_requests_resources.py
index 45be4ea1..86ce371c 100644
--- a/tests/resources/requests/test_requests_resources.py
+++ b/tests/resources/requests/test_requests_resources.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2021 TU Wien.
+# Copyright (C) 2021-2024 TU Wien.
 #
 # Invenio-Requests is free software; you can redistribute it and/or
 # modify it under the terms of the MIT License; see LICENSE file for more
@@ -198,3 +198,48 @@ def test_simple_request_flow(app, client_logged_as, headers, example_request):
         }
     )
     assert_api_response(response, 200, expected_data)
+
+
+#
+# Read-only mode
+#
+
+
+def test_update_request_ro(rw_app, client_logged_as, headers, example_request):
+    rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    request_id = example_request.id
+    client = client_logged_as("admin@example.org")
+    response = client.put(
+        f"/requests/{request_id}", headers=headers, data=example_request
+    )
+    assert response.status_code == 403
+
+
+def test_delete_request_ro(rw_app, client_logged_as, headers, example_request):
+    rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    request_id = example_request.id
+    client = client_logged_as("admin@example.org")
+    response = client.delete(f"/requests/{request_id}", headers=headers)
+    assert response.status_code == 403
+
+
+def test_submit_request_ro(rw_app, client_logged_as, headers, example_request):
+    rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+    request_id = example_request.id
+    client = client_logged_as("admin@example.org")
+    response = client.post(f"/requests/{request_id}/actions/submit", headers=headers)
+    assert response.status_code == 403
+
+
+def test_request_actions_ro(rw_app, client_logged_as, headers, example_request):
+    request_id = example_request.id
+    client = client_logged_as("admin@example.org")
+    response = client.post(f"/requests/{request_id}/actions/submit", headers=headers)
+    assert response.status_code == 200
+
+    for action in ["accept", "decline", "cancel"]:
+        rw_app.config["RECORDS_PERMISSIONS_READ_ONLY"] = True
+        response = client.post(
+            f"/requests/{request_id}/actions/{action}", headers=headers
+        )
+        assert response.status_code == 403