diff --git a/resources/api/reservation.py b/resources/api/reservation.py index 21a740d9b..dcaf2d4f0 100644 --- a/resources/api/reservation.py +++ b/resources/api/reservation.py @@ -488,6 +488,11 @@ def to_representation(self, instance): if any(insufficient_rights): del data['comments'] + # staff should be able to see reservation creation time + if user.is_superuser or resource.is_admin(user) or resource.is_manager(user) or resource.is_viewer(user): + tz = resource.unit.get_tz() + data.update(**{'created_at': instance.created_at.astimezone(tz)}) + if not resource.can_view_reservation_user(user): del data['user'] diff --git a/resources/tests/test_reservation_api.py b/resources/tests/test_reservation_api.py index 971d53d01..74aff1e36 100644 --- a/resources/tests/test_reservation_api.py +++ b/resources/tests/test_reservation_api.py @@ -751,6 +751,53 @@ def test_reserver_can_update_reservation_that_has_virtual_data( assert response.status_code == 200 +@pytest.mark.django_db +def test_superusers_can_see_created_at(api_client, reservation, staff_user): + """Tests that superusers can see reservation created at""" + + detail_url = reverse('reservation-detail', kwargs={'pk': reservation.pk}) + + staff_user.is_superuser = True + staff_user.save() + api_client.force_authenticate(user=staff_user) + response = api_client.get(detail_url) + assert 'created_at' in response.data + assert response.data['created_at'] == reservation.created_at + + +@pytest.mark.parametrize('unit_perm', ['admin', 'manager', 'viewer']) +@pytest.mark.django_db +def test_unit_staff_can_see_created_at( + api_client, reservation, staff_user, resource_in_unit, unit_perm): + """Tests that unit staff can see reservation created at""" + + detail_url = reverse('reservation-detail', kwargs={'pk': reservation.pk}) + + UnitAuthorization.objects.create( + subject=resource_in_unit.unit, level=UnitAuthorizationLevel[unit_perm], authorized=staff_user) + api_client.force_authenticate(user=staff_user) + response = api_client.get(detail_url) + assert 'created_at' in response.data + assert response.data['created_at'] == reservation.created_at + + +@pytest.mark.django_db +def test_anon_and_regular_users_cannot_see_created_at(api_client, reservation, user, user2): + """Tests that anon and regular users cannot see created at""" + detail_url = reverse('reservation-detail', kwargs={'pk': reservation.pk}) + + response = api_client.get(detail_url) + assert 'created_at' not in response.data + + api_client.force_authenticate(user=user) + response = api_client.get(detail_url) + assert 'created_at' not in response.data + + api_client.force_authenticate(user=user2) + response = api_client.get(detail_url) + assert 'created_at' not in response.data + + @pytest.mark.django_db def test_user_data_correct_and_only_for_admins( api_client, reservation, user, general_admin): @@ -3329,16 +3376,16 @@ def test_reservation_reminder_create( @override_settings(RESPA_MAILS_ENABLED=True) @pytest.mark.django_db def test_no_notification_on_reservation_type_blocked( - resource_in_unit, reservation_data, + resource_in_unit, reservation_data, staff_api_client, staff_user, list_url, reservation_created_by_official_notification): UnitAuthorization.objects.create(subject=resource_in_unit.unit, level=UnitAuthorizationLevel.manager, authorized=staff_user) - + reservation_data['resource'] = resource_in_unit.pk reservation_data['reserver_name'] = 'Staff reservation normal' reservation_data['type'] = Reservation.TYPE_BLOCKED response = staff_api_client.post(list_url, data=reservation_data, format='json') assert response.status_code == 201 - assert len(mail.outbox) == 0 \ No newline at end of file + assert len(mail.outbox) == 0