allow amap admin to remove orders when delivery is locked (#151)

### Description - Allow amap admin to remove orders from a locked delivery. ### Checklist - [x] Created tests which fail without the change (if possible) - [x] All tests passing - [ ] Extended the documentation, if necessary
aeecleclair · Mar 6, 2023 · dc16acc · dc16acc
1 parent 00cb67a
commit dc16acc
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 7 deletions.
diff --git a/app/endpoints/amap.py b/app/endpoints/amap.py
@@ -629,6 +629,7 @@ async def remove_order(
 
     **A member of the group AMAP can delete orders of other users**
     """
+    is_user_admin = is_user_member_of_an_allowed_group(user, [GroupType.amap])
     order = await cruds_amap.get_order_by_id(db=db, order_id=order_id)
     if not order:
         raise HTTPException(status_code=404, detail="No order found")
@@ -637,16 +638,15 @@ async def remove_order(
     if not delivery:
         raise HTTPException(status_code=404, detail="Delivery not found")
 
-    if delivery.status != DeliveryStatusType.orderable:
+    if delivery.status != DeliveryStatusType.orderable and not (
+        is_user_admin and delivery.status == DeliveryStatusType.locked
+    ):
         raise HTTPException(
             status_code=403,
             detail=f"You can't remove an order if the delivery is not in orderable mode. The current mode is {delivery.status}",
         )
 
-    if not (
-        user.id == order.user_id
-        or is_user_member_of_an_allowed_group(user, [GroupType.amap])
-    ):
+    if not (user.id == order.user_id or is_user_admin):
         raise HTTPException(
             status_code=403,
             detail="You are not allowed to delete this order",

diff --git a/tests/test_amap.py b/tests/test_amap.py
@@ -19,14 +19,16 @@
 deletable_product: models_amap.Product | None = None
 delivery: models_amap.Delivery | None = None
 deletable_delivery: models_amap.Delivery | None = None
+locked_delivery: models_amap.Delivery | None = None
 order: models_amap.Order | None = None
+deletable_order_by_admin: models_amap.Order | None = None
 
 settings = app.dependency_overrides.get(get_settings, get_settings)()
 
 
 @app.on_event("startup")  # create the data needed in the tests
 async def startuptest():
-    global amap_user, student_user, product, deletable_product, delivery, deletable_delivery, order, cash
+    global amap_user, student_user, product, deletable_product, delivery, deletable_delivery, locked_delivery, order, deletable_order_by_admin, cash
 
     async with TestingSessionLocal() as db:
         amap_user = await create_user_with_groups([GroupType.amap], db=db)
@@ -55,6 +57,13 @@ async def startuptest():
         )
         db.add(deletable_delivery)
 
+        locked_delivery = models_amap.Delivery(
+            id=str(uuid.uuid4()),
+            delivery_date=datetime(2022, 8, 17),
+            status=DeliveryStatusType.locked,
+        )
+        db.add(locked_delivery)
+
         order = models_amap.Order(
             order_id=str(uuid.uuid4()),
             user_id=student_user.id,
@@ -67,6 +76,18 @@ async def startuptest():
         db.add(order)
         await db.commit()
 
+        deletable_order_by_admin = models_amap.Order(
+            order_id=str(uuid.uuid4()),
+            user_id=student_user.id,
+            delivery_id=locked_delivery.id,
+            amount=0.0,
+            collection_slot=AmapSlotType.midi,
+            ordering_date=datetime(2022, 8, 18, 12, 16, 26),
+            delivery_date=locked_delivery.delivery_date,
+        )
+        db.add(deletable_order_by_admin)
+        await db.commit()
+
         cash = models_amap.Cash(user_id=student_user.id, balance=666)
         db.add(cash)
         await db.commit()
@@ -142,7 +163,7 @@ def test_create_delivery():
     response = client.post(
         "/amap/deliveries",
         json={
-            "delivery_date": "2022-08-17",
+            "delivery_date": "2022-08-18",
             "products_ids": [product.id],
             "locked": False,
         },
@@ -304,6 +325,31 @@ def test_remove_order():
     assert response.status_code == 204
 
 
+def test_remove_order_by_admin():
+    # Enable Redis client for locker
+    app.dependency_overrides.get(get_redis_client, get_redis_client)(
+        settings, activate=True
+    )
+
+    token = create_api_access_token(student_user)
+    token_amap = create_api_access_token(amap_user)
+
+    response = client.delete(
+        f"/amap/orders/{deletable_order_by_admin.order_id}",
+        headers={"Authorization": f"Bearer {token}"},
+    )
+    assert response.status_code == 403
+
+    response = client.delete(
+        f"/amap/orders/{deletable_order_by_admin.order_id}",
+        headers={"Authorization": f"Bearer {token_amap}"},
+    )
+    assert response.status_code == 204
+
+    # Disable Redis client (to avoid rate-limit)
+    app.dependency_overrides.get(get_redis_client, get_redis_client)(deactivate=True)
+
+
 def test_get_users_cash():
     token = create_api_access_token(amap_user)