From 429ce2df2e489eea272778b3d92b0510a9c294ec Mon Sep 17 00:00:00 2001
From: Erin Mullaney <erin.mullaney@torchbox.com>
Date: Thu, 21 Feb 2019 12:26:33 -0500
Subject: [PATCH] #962 add a regular user test to make sure regular users can't
 access review page and post opinions

---
 opentech/apply/review/tests/test_views.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/opentech/apply/review/tests/test_views.py b/opentech/apply/review/tests/test_views.py
index 88114bd58..9cf733eb4 100644
--- a/opentech/apply/review/tests/test_views.py
+++ b/opentech/apply/review/tests/test_views.py
@@ -267,3 +267,25 @@ class StaffReviewOpinionCase(BaseViewTestCase):
         self.assertTrue(review.opinions.first().opinion_display in Activity.objects.first().message)
         self.assertEqual(ReviewOpinion.objects.all().count(), 1)
         self.assertEqual(ReviewOpinion.objects.first().opinion, AGREE)
+
+
+class NonStaffReviewOpinionCase(BaseViewTestCase):
+    user_factory = UserFactory
+    url_name = 'funds:submissions:reviews:{}'
+    base_view_name = 'review'
+
+    @classmethod
+    def setUpTestData(cls):
+        super().setUpTestData()
+        cls.submission = ApplicationSubmissionFactory(status='draft_proposal', workflow_stages=2)
+
+    def get_kwargs(self, instance):
+        return {'pk': instance.id, 'submission_pk': instance.submission.id}
+
+    def test_cant_see_review_or_post_opinion_to_it(self):
+        staff = StaffFactory()
+        review = ReviewFactory(submission=self.submission, author=staff, recommendation_yes=True)
+        response = self.get_page(review)
+        self.assertEqual(response.status_code, 403)
+        response = self.post_page(review, {'agree': AGREE})
+        self.assertEqual(response.status_code, 403)
-- 
GitLab