From 2d5ead7c1bf31a78cc4b22b8879384d99c02f6ee Mon Sep 17 00:00:00 2001
From: Cayo Puigdefabregas <cayo@ribaguifi.com>
Date: Mon, 22 Nov 2021 12:01:12 +0100
Subject: [PATCH] checking permitions of actions

---
 ereuse_devicehub/resources/action/schemas.py  | 38 +++++++++++--------
 .../2-device-with-components.snapshot.yaml    | 29 ++++++++++++++
 tests/test_action.py                          | 13 +++++++
 3 files changed, 65 insertions(+), 15 deletions(-)
 create mode 100644 tests/files/2-device-with-components.snapshot.yaml

diff --git a/ereuse_devicehub/resources/action/schemas.py b/ereuse_devicehub/resources/action/schemas.py
index 33b8e7df..eb69f936 100644
--- a/ereuse_devicehub/resources/action/schemas.py
+++ b/ereuse_devicehub/resources/action/schemas.py
@@ -79,6 +79,15 @@ class ActionWithMultipleDevices(Action):
                        collection_class=OrderedSet)
 
 
+class ActionWithMultipleDevicesCheckingOwner(ActionWithMultipleDevices):
+
+    @post_load
+    def check_owner_of_device(self, data):
+        for dev in data['devices']:
+            if dev.owner != g.user:
+                raise ValidationError("Some Devices not exist")
+
+
 class Add(ActionWithOneDevice):
     __doc__ = m.Add.__doc__
 
@@ -87,7 +96,7 @@ class Remove(ActionWithOneDevice):
     __doc__ = m.Remove.__doc__
 
 
-class Allocate(ActionWithMultipleDevices):
+class Allocate(ActionWithMultipleDevicesCheckingOwner):
     __doc__ = m.Allocate.__doc__
     start_time = DateTime(data_key='startTime', required=True,
                           description=m.Action.start_time.comment)
@@ -121,7 +130,7 @@ class Allocate(ActionWithMultipleDevices):
             device.allocated = True
 
 
-class Deallocate(ActionWithMultipleDevices):
+class Deallocate(ActionWithMultipleDevicesCheckingOwner):
     __doc__ = m.Deallocate.__doc__
     start_time = DateTime(data_key='startTime', required=True,
                           description=m.Action.start_time.comment)
@@ -412,15 +421,15 @@ class Snapshot(ActionWithOneDevice):
                                       field_names=['elapsed'])
 
 
-class ToRepair(ActionWithMultipleDevices):
+class ToRepair(ActionWithMultipleDevicesCheckingOwner):
     __doc__ = m.ToRepair.__doc__
 
 
-class Repair(ActionWithMultipleDevices):
+class Repair(ActionWithMultipleDevicesCheckingOwner):
     __doc__ = m.Repair.__doc__
 
 
-class Ready(ActionWithMultipleDevices):
+class Ready(ActionWithMultipleDevicesCheckingOwner):
     __doc__ = m.Ready.__doc__
 
 
@@ -472,15 +481,15 @@ class Management(ActionStatus):
     __doc__ = m.Management.__doc__
 
 
-class ToPrepare(ActionWithMultipleDevices):
+class ToPrepare(ActionWithMultipleDevicesCheckingOwner):
     __doc__ = m.ToPrepare.__doc__
 
 
-class Prepare(ActionWithMultipleDevices):
+class Prepare(ActionWithMultipleDevicesCheckingOwner):
     __doc__ = m.Prepare.__doc__
 
 
-class DataWipe(ActionWithMultipleDevices):
+class DataWipe(ActionWithMultipleDevicesCheckingOwner):
     __doc__ = m.DataWipe.__doc__
     document = NestedOn(s_generic_document.DataWipeDocument, only_query='id')
 
@@ -530,7 +539,7 @@ class Confirm(ActionWithMultipleDevices):
     def validate_revoke(self, data: dict):
         for dev in data['devices']:
             # if device not exist in the Trade, then this query is wrong
-            if not dev in data['action'].devices:
+            if dev not in data['action'].devices:
                 txt = "Device {} not exist in the trade".format(dev.devicehub_id)
                 raise ValidationError(txt)
 
@@ -543,13 +552,13 @@ class Revoke(ActionWithMultipleDevices):
     def validate_revoke(self, data: dict):
         for dev in data['devices']:
             # if device not exist in the Trade, then this query is wrong
-            if not dev in data['action'].devices:
+            if dev not in data['action'].devices:
                 txt = "Device {} not exist in the trade".format(dev.devicehub_id)
                 raise ValidationError(txt)
 
         for doc in data.get('documents', []):
             # if document not exist in the Trade, then this query is wrong
-            if not doc in data['action'].documents:
+            if doc not in data['action'].documents:
                 txt = "Document {} not exist in the trade".format(doc.file_name)
                 raise ValidationError(txt)
 
@@ -610,7 +619,7 @@ class ConfirmDocument(ActionWithMultipleDocuments):
             if not doc.actions:
                 continue
 
-            if not doc.trading == 'Need Confirmation': 
+            if not doc.trading == 'Need Confirmation':
                 txt = 'No there are documents to confirm'
                 raise ValidationError(txt)
 
@@ -637,7 +646,7 @@ class RevokeDocument(ActionWithMultipleDocuments):
             if not doc.actions:
                 continue
 
-            if not doc.trading in ['Document Confirmed', 'Confirm']:
+            if doc.trading not in ['Document Confirmed', 'Confirm']:
                 txt = 'No there are documents to revoke'
                 raise ValidationError(txt)
 
@@ -662,7 +671,6 @@ class ConfirmRevokeDocument(ActionWithMultipleDocuments):
             if not doc.actions:
                 continue
 
-
             if not doc.trading == 'Revoke':
                 txt = 'No there are documents with revoke for confirm'
                 raise ValidationError(txt)
@@ -827,7 +835,7 @@ class TransferOwnershipBlockchain(Trade):
     __doc__ = m.TransferOwnershipBlockchain.__doc__
 
 
-class Delete(ActionWithMultipleDevices):
+class Delete(ActionWithMultipleDevicesCheckingOwner):
     __doc__ = m.Delete.__doc__
 
     @post_load
diff --git a/tests/files/2-device-with-components.snapshot.yaml b/tests/files/2-device-with-components.snapshot.yaml
new file mode 100644
index 00000000..51d36265
--- /dev/null
+++ b/tests/files/2-device-with-components.snapshot.yaml
@@ -0,0 +1,29 @@
+device:
+  manufacturer: p1
+  serialNumber: p1
+  model: p1
+  type: Desktop
+  chassis: Tower
+components:
+  - manufacturer: p1c1m
+    serialNumber: p1c1s
+    type: Motherboard
+  - manufacturer: p1c2m
+    serialNumber: p1c2s
+    model: p1c2
+    speed: 1.23
+    cores: 2
+    type: Processor
+    actions:
+      - type: BenchmarkProcessor
+        rate: 1
+        elapsed: 166
+  - manufacturer: p1c3m
+    serialNumber: p1c3s
+    type: GraphicCard
+    memory: 1.5
+elapsed: 25
+software: Workbench
+uuid: 77860eca-c3fd-41f6-a801-6af7bd8cf832
+version: '11.0'
+type: Snapshot
diff --git a/tests/test_action.py b/tests/test_action.py
index f7a1240f..8de74e81 100644
--- a/tests/test_action.py
+++ b/tests/test_action.py
@@ -2876,6 +2876,19 @@ def test_delete_devices_check_sync(user: UserClient):
         if device1.id in [y.device.id for y in x.actions if hasattr(y, 'device')]]) == 1
 
 
+@pytest.mark.mvp
+@pytest.mark.usefixtures(conftest.app_context.__name__)
+def test_delete_devices_permitions(user: UserClient, user2: UserClient):
+    """This action deactive one device and simulate than one devices is delete."""
+
+    file_snap = file('1-device-with-components.snapshot')
+    snap, _ = user.post(file_snap, res=models.Snapshot)
+    device = Device.query.filter_by(id=snap['device']['id']).one()
+
+    request = {'type': 'Delete', 'devices': [snap['device']['id']], 'name': 'borrado universal', 'severity': 'Info', 'description': 'duplicity of devices', 'endTime': '2021-07-07T22:00:00.000Z'}
+    action, _ = user2.post(res=models.Action, data=request, status=422)
+
+
 @pytest.mark.mvp
 @pytest.mark.usefixtures(conftest.app_context.__name__)
 def test_moveOnDocument_bug168(user: UserClient, user2: UserClient):