From ddf1a1b6d3fc9eafff8e35c1d391de1621cd7b81 Mon Sep 17 00:00:00 2001
From: Gabriel Augendre <gabriel@augendre.info>
Date: Fri, 11 Nov 2022 08:59:18 +0100
Subject: [PATCH] Restrict access to character view

---
 src/character/models/character.py  |  7 +++++
 src/character/tests/test_access.py | 45 ++++++++++++++++++++++++++++++
 src/character/views.py             |  2 +-
 src/conftest.py                    |  6 ++++
 4 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 src/character/tests/test_access.py

diff --git a/src/character/models/character.py b/src/character/models/character.py
index f25bf56..e811e9d 100644
--- a/src/character/models/character.py
+++ b/src/character/models/character.py
@@ -86,6 +86,13 @@ class CharacterQuerySet(models.QuerySet):
     def owned_by(self, user):
         return self.filter(player=user)
 
+    def friendly_to(self, user):
+        from party.models import Party
+
+        return self.filter(
+            Q(player=user) | Q(parties__in=Party.objects.related_to(user))
+        )
+
 
 DEFAULT_NOTES = """
 #### Traits personnalisés
diff --git a/src/character/tests/test_access.py b/src/character/tests/test_access.py
new file mode 100644
index 0000000..181a6a3
--- /dev/null
+++ b/src/character/tests/test_access.py
@@ -0,0 +1,45 @@
+import pytest
+from model_bakery import baker
+
+from character.models import Character
+from common.models import User
+from party.models import Party
+
+
+@pytest.mark.django_db
+def test_can_access_own_character(client):
+    # Create a user
+    player = User.objects.create_user("username", password="password")
+
+    character = baker.make(Character, player=player)
+    client.force_login(player)
+    res = client.get(character.get_absolute_url())
+    assert res.status_code == 200
+
+
+@pytest.mark.django_db
+def test_cant_access_random_character(client):
+    # Create a user
+    player = User.objects.create_user("user", password="password")
+    other = User.objects.create_user("other", password="password")
+
+    character = baker.make(Character, player=other)
+    client.force_login(player)
+    res = client.get(character.get_absolute_url())
+    assert res.status_code == 404
+
+
+@pytest.mark.django_db
+def test_can_access_character_in_party(client):
+    # Create a user
+    player = User.objects.create_user("user", password="password")
+    friend = User.objects.create_user("friend", password="password")
+
+    character = baker.make(Character, player=player)
+    friend_character = baker.make(Character, player=friend)
+    party = baker.make(Party)
+    party.characters.add(character)
+    party.characters.add(friend_character)
+    client.force_login(player)
+    res = client.get(character.get_absolute_url())
+    assert res.status_code == 200
diff --git a/src/character/views.py b/src/character/views.py
index da711b7..bca18bb 100644
--- a/src/character/views.py
+++ b/src/character/views.py
@@ -60,7 +60,7 @@ def character_change(request, pk: int):
 @login_required
 def character_view(request, pk: int):
     character = get_object_or_404(
-        Character.objects.all()
+        Character.objects.friendly_to(request.user)
         .select_related("player", "racial_capability", "profile", "race")
         .prefetch_related("capabilities__path", "weapons"),
         pk=pk,
diff --git a/src/conftest.py b/src/conftest.py
index 3b2eb0b..7755c9c 100644
--- a/src/conftest.py
+++ b/src/conftest.py
@@ -11,3 +11,9 @@ def collectstatic():
 def firefox_options(firefox_options):
     firefox_options.add_argument("-headless")
     return firefox_options
+
+
+@pytest.fixture(autouse=True)
+def settings(settings):
+    settings.DEBUG_TOOLBAR = False
+    return settings