Reuse permissions in tests

Author: XanderVertegaal

README.md

@@ -32,7 +32,7 @@ Apart from superusers/admins, the application has three user roles with differen
 
 Users can become Annotators or Master Annotators by adding them to the respective user groups in the Django admin interface.
 
-The overview below shows the permissions for each role. Not all permissions are currently implemented.
+The matrix below shows the permissions for each role. Not all permissions are currently implemented.
 
 (Last updated: November 14th, 2025)
 

backend/problem/views/problem.py

@@ -14,20 +14,21 @@
 from problem.serializers import ProblemInputSerializer, ProblemSerializer
 from rest_framework.permissions import IsAuthenticated, IsAuthenticatedOrReadOnly
 
+
 class CreateProblemPermission(IsAuthenticated):
     def has_permission(self, request, view):
-        return request.user.can_create_problem
+        return super().has_permission(request, view) and request.user.can_create_problem
+
 
 class EditProblemPermission(IsAuthenticated):
     def has_permission(self, request, view):
-        return request.user.can_edit_problem
+        return super().has_permission(request, view) and request.user.can_edit_problem
 
 
 class ProblemView(ModelViewSet):
     queryset = Problem.objects.all()
     serializer_class = ProblemSerializer
 
-
     def get_permissions(self):
         if self.action == "create":
             return [CreateProblemPermission()]
@@ -128,7 +129,7 @@ def _handle_update_create_problem(
         problem_serializer = ProblemSerializer()
 
         if problem_id is None:
-            problem = problem_serializer.create(validated_input) # type: ignore
+            problem = problem_serializer.create(validated_input)  # type: ignore
             status = HTTP_201_CREATED
         else:
             problem_instance = get_object_or_404(
@@ -140,4 +141,3 @@ def _handle_update_create_problem(
             status = HTTP_200_OK
 
         return Response({"id": problem.pk}, status=status)
-

backend/problem/views/problem_test.py

@@ -0,0 +1,295 @@
+import pytest
+from django.contrib.auth.models import Group, Permission
+from rest_framework.test import APIClient
+from rest_framework import status
+
+from problem.models import Problem, Sentence
+from user.models import User, GroupName
+from user.permissions import annotator_permissions, master_annotator_permissions
+
+
+@pytest.fixture
+def api_client():
+    """Returns a DRF APIClient instance."""
+    return APIClient()
+
+
+@pytest.fixture
+def visitor(db):
+    """Creates a visitor user (no special permissions)."""
+    return User.objects.create_user(
+        username="visitor",
+        email="visitor@test.com",
+        password="testpassword",
+    )
+
+
+@pytest.fixture
+def annotator(db):
+    """Creates an annotator user with annotator group permissions."""
+    user = User.objects.create_user(
+        username="annotator",
+        email="annotator@test.com",
+        password="testpassword",
+    )
+    group, _ = Group.objects.get_or_create(name=GroupName.ANNOTATORS)
+
+    # Add annotator permissions
+    for app_label, codename in annotator_permissions:
+        try:
+            perm = Permission.objects.get(
+                content_type__app_label=app_label,
+                codename=codename,
+            )
+            group.permissions.add(perm)
+        except Permission.DoesNotExist:
+            pass
+    user.groups.add(group)
+    return user
+
+
+@pytest.fixture
+def master_annotator(db):
+    """Creates a master annotator user with full permissions."""
+    user = User.objects.create_user(
+        username="master_annotator",
+        email="master@test.com",
+        password="testpassword",
+    )
+    group, _ = Group.objects.get_or_create(name=GroupName.MASTER_ANNOTATORS)
+
+    # Add master annotator permissions
+    for app_label, codename in master_annotator_permissions:
+        try:
+            perm = Permission.objects.get(
+                content_type__app_label=app_label,
+                codename=codename,
+            )
+            group.permissions.add(perm)
+        except Permission.DoesNotExist:
+            pass
+    user.groups.add(group)
+    return user
+
+
+@pytest.fixture
+def sample_problem(db):
+    """Creates a sample problem for testing."""
+    hypothesis = Sentence.objects.create(text="This is a hypothesis.")
+    premise = Sentence.objects.create(text="This is a premise.")
+    problem = Problem.objects.create(
+        dataset=Problem.Dataset.USER,
+        hypothesis=hypothesis,
+        entailment_label=Problem.EntailmentLabel.NEUTRAL,
+        extra_data={},
+    )
+    problem.premises.add(premise)
+    return problem
+
+
+@pytest.fixture
+def problem_input_data():
+    """Returns valid input data for creating/updating a problem."""
+    return {
+        "premises": ["Test premise 1", "Test premise 2"],
+        "hypothesis": "Test hypothesis",
+        "entailmentLabel": "neutral",
+        "kbItems": [],
+    }
+
+
+class TestProblemViewPermissions:
+    """
+    Tests for problem view permissions as documented in the README.
+    """
+
+    # ==================== LIST (Browse) Tests ====================
+
+    def test_unauthenticated_user_can_list_problems(self, api_client, sample_problem):
+        """Unauthenticated users should be able to browse problems (read-only)."""
+        response = api_client.get("/api/problem/")
+        assert response.status_code == status.HTTP_200_OK
+
+    def test_visitor_can_list_problems(self, api_client, visitor, sample_problem):
+        """Visitors should be able to browse problems."""
+        api_client.force_authenticate(user=visitor)
+        response = api_client.get("/api/problem/")
+        assert response.status_code == status.HTTP_200_OK
+
+    def test_annotator_can_list_problems(self, api_client, annotator, sample_problem):
+        """Annotators should be able to browse problems."""
+        api_client.force_authenticate(user=annotator)
+        response = api_client.get("/api/problem/")
+        assert response.status_code == status.HTTP_200_OK
+
+    def test_master_annotator_can_list_problems(
+        self, api_client, master_annotator, sample_problem
+    ):
+        """Master annotators should be able to browse problems."""
+        api_client.force_authenticate(user=master_annotator)
+        response = api_client.get("/api/problem/")
+        assert response.status_code == status.HTTP_200_OK
+
+    # ==================== RETRIEVE (Browse Single) Tests ====================
+
+    def test_unauthenticated_user_can_retrieve_problem(
+        self, api_client, sample_problem
+    ):
+        """Unauthenticated users should be able to view a single problem."""
+        response = api_client.get(f"/api/problem/{sample_problem.id}/")
+        assert response.status_code == status.HTTP_200_OK
+
+    def test_visitor_can_retrieve_problem(self, api_client, visitor, sample_problem):
+        """Visitors should be able to view a single problem."""
+        api_client.force_authenticate(user=visitor)
+        response = api_client.get(f"/api/problem/{sample_problem.id}/")
+        assert response.status_code == status.HTTP_200_OK
+
+    def test_annotator_can_retrieve_problem(
+        self, api_client, annotator, sample_problem
+    ):
+        """Annotators should be able to view a single problem."""
+        api_client.force_authenticate(user=annotator)
+        response = api_client.get(f"/api/problem/{sample_problem.id}/")
+        assert response.status_code == status.HTTP_200_OK
+
+    def test_master_annotator_can_retrieve_problem(
+        self, api_client, master_annotator, sample_problem
+    ):
+        """Master annotators should be able to view a single problem."""
+        api_client.force_authenticate(user=master_annotator)
+        response = api_client.get(f"/api/problem/{sample_problem.id}/")
+        assert response.status_code == status.HTTP_200_OK
+
+    # ==================== CREATE (Add Problems) Tests ====================
+
+    def test_unauthenticated_user_cannot_create_problem(
+        self, api_client, problem_input_data
+    ):
+        """Unauthenticated users should not be able to create problems."""
+        response = api_client.post("/api/problem/", problem_input_data, format="json")
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_visitor_cannot_create_problem(
+        self, api_client, visitor, problem_input_data
+    ):
+        """Visitors should not be able to create problems."""
+        api_client.force_authenticate(user=visitor)
+        response = api_client.post("/api/problem/", problem_input_data, format="json")
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_annotator_cannot_create_problem(
+        self, api_client, annotator, problem_input_data
+    ):
+        """Annotators should not be able to create problems."""
+        api_client.force_authenticate(user=annotator)
+        response = api_client.post("/api/problem/", problem_input_data, format="json")
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_master_annotator_can_create_problem(
+        self, api_client, master_annotator, problem_input_data
+    ):
+        """Master annotators should be able to create problems."""
+        api_client.force_authenticate(user=master_annotator)
+        response = api_client.post("/api/problem/", problem_input_data, format="json")
+        print(response.data)
+        assert response.status_code == status.HTTP_201_CREATED
+        assert "id" in response.data
+
+    # ==================== UPDATE (Edit Problems) Tests ====================
+
+    def test_unauthenticated_user_cannot_update_problem(
+        self, api_client, sample_problem, problem_input_data
+    ):
+        """Unauthenticated users should not be able to update problems."""
+        response = api_client.patch(
+            f"/api/problem/{sample_problem.id}/", problem_input_data, format="json"
+        )
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_visitor_cannot_update_problem(
+        self, api_client, visitor, sample_problem, problem_input_data
+    ):
+        """Visitors should not be able to update problems."""
+        api_client.force_authenticate(user=visitor)
+        response = api_client.patch(
+            f"/api/problem/{sample_problem.id}/", problem_input_data, format="json"
+        )
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_annotator_cannot_update_problem(
+        self, api_client, annotator, sample_problem, problem_input_data
+    ):
+        """Annotators should not be able to update problems."""
+        api_client.force_authenticate(user=annotator)
+        response = api_client.patch(
+            f"/api/problem/{sample_problem.id}/", problem_input_data, format="json"
+        )
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_master_annotator_can_update_problem(
+        self, api_client, master_annotator, sample_problem, problem_input_data
+    ):
+        """Master annotators should be able to update user-created problems."""
+        api_client.force_authenticate(user=master_annotator)
+        response = api_client.patch(
+            f"/api/problem/{sample_problem.id}/", problem_input_data, format="json"
+        )
+        assert response.status_code == status.HTTP_200_OK
+
+
+class TestUserRoleProperties:
+    """Tests for user role property methods used by permissions."""
+
+    def test_visitor_cannot_create_problem(self, visitor):
+        """Visitor's can_create_problem should return False."""
+        assert visitor.can_create_problem is False
+
+    def test_visitor_cannot_edit_problem(self, visitor):
+        """Visitor's can_edit_problem should return False."""
+        assert visitor.can_edit_problem is False
+
+    def test_annotator_cannot_create_problem(self, annotator):
+        """Annotator's can_create_problem should return False."""
+        assert annotator.can_create_problem is False
+
+    def test_annotator_cannot_edit_problem(self, annotator):
+        """Annotator's can_edit_problem should return False."""
+        assert annotator.can_edit_problem is False
+
+    def test_master_annotator_can_create_problem(self, master_annotator):
+        """Master annotator's can_create_problem should return True."""
+        assert master_annotator.can_create_problem is True
+
+    def test_master_annotator_can_edit_problem(self, master_annotator):
+        """Master annotator's can_edit_problem should return True."""
+        assert master_annotator.can_edit_problem is True
+
+
+class TestFirstEndpointPermissions:
+    """Tests for the /first endpoint permissions."""
+
+    def test_unauthenticated_user_can_access_first(self, api_client, sample_problem):
+        """Unauthenticated users should be able to access /first endpoint."""
+        response = api_client.get("/api/problem/first/")
+        assert response.status_code == status.HTTP_200_OK
+
+    def test_visitor_can_access_first(self, api_client, visitor, sample_problem):
+        """Visitors should be able to access /first endpoint."""
+        api_client.force_authenticate(user=visitor)
+        response = api_client.get("/api/problem/first/")
+        assert response.status_code == status.HTTP_200_OK
+
+    def test_annotator_can_access_first(self, api_client, annotator, sample_problem):
+        """Annotators should be able to access /first endpoint."""
+        api_client.force_authenticate(user=annotator)
+        response = api_client.get("/api/problem/first/")
+        assert response.status_code == status.HTTP_200_OK
+
+    def test_master_annotator_can_access_first(
+        self, api_client, master_annotator, sample_problem
+    ):
+        """Master annotators should be able to access /first endpoint."""
+        api_client.force_authenticate(user=master_annotator)
+        response = api_client.get("/api/problem/first/")
+        assert response.status_code == status.HTTP_200_OK

backend/user/migrations/0004_create_user_groups.py

@@ -3,25 +3,8 @@
 from django.db import migrations
 
 from user.models import GroupName
+from user.permissions import annotator_permissions, master_annotator_permissions
 
-annotator_permissions = [
-    "problem.view_silver_problems",
-    "problem.add_knowledgebase",
-    "problem.change_knowledgebase",
-    "problem.delete_knowledgebase",
-    "problem.view_knowledgebase",
-]
-
-master_annotator_permissions = annotator_permissions + [
-    "problem.copy_problems",
-    "problem.view_hidden_problems",
-    "problem.change_problem_status",
-    "problem.change_problem_visibility",
-    "problem.add_problem",
-    "problem.change_problem",
-    "problem.delete_problem",
-    "problem.view_problem",
-]
 
 permission_map = {
     GroupName.MASTER_ANNOTATORS: master_annotator_permissions,
@@ -40,7 +23,7 @@ def create_groups(apps, schema_editor):
         group, created = Group.objects.get_or_create(name=group_name.value)
         for perm_codename in perms:
             try:
-                app_label, codename = perm_codename.split(".")
+                app_label, codename = perm_codename
                 permission = Permission.objects.get(
                     content_type__app_label=app_label,
                     codename=codename,

backend/user/permissions.py

@@ -0,0 +1,19 @@
+# Django permissions are uniquely identified by their combination of a `content_type__app_label` and a `codename`.
+annotator_permissions = [
+    ("problem", "view_silver_problems"),
+    ("problem", "add_knowledgebase"),
+    ("problem", "change_knowledgebase"),
+    ("problem", "delete_knowledgebase"),
+    ("problem", "view_knowledgebase"),
+]
+
+master_annotator_permissions = annotator_permissions + [
+    ("problem", "copy_problems"),
+    ("problem", "view_hidden_problems"),
+    ("problem", "change_problem_status"),
+    ("problem", "change_problem_visibility"),
+    ("problem", "add_problem"),
+    ("problem", "change_problem"),
+    ("problem", "delete_problem"),
+    ("problem", "view_problem"),
+]