diff --git a/users/serializers.py b/users/serializers.py index d2e02ff..17637bd 100644 --- a/users/serializers.py +++ b/users/serializers.py @@ -77,4 +77,6 @@ class UserSerializer(serializers.HyperlinkedModelSerializer): return user def get_token(self, obj: User): - return create_token_if_necessary(obj).key + if self.context['request'].user == obj: + return create_token_if_necessary(obj).key + return None diff --git a/users/tests.py b/users/tests.py index b1f3ce4..915234d 100644 --- a/users/tests.py +++ b/users/tests.py @@ -1,8 +1,11 @@ +import json + from django.test import TestCase from django.test.utils import override_settings import mock from django.urls import reverse +from rest_framework.reverse import reverse as drf_reverse from .auth.backends import CombinedAuthBackend from .models import User @@ -72,3 +75,23 @@ class LogoutViewTest(TestCase): def test_logout_view(self): response = self.client.get(reverse('users:logout')) self.assertEqual(response.status_code, 302) + + +class ProfileViewTest(TestCase): + def setUp(self): + self.first_user = User.objects.create_user(username='jdoe', password='password') + self.second_user = User.objects.create_user(username='judy', password='password') + self.client.login(username='jdoe', password='password') + + def test_should_have_access_to_token(self): + from rest_framework.authtoken.models import Token + url = drf_reverse('users:public-user-list') + response = self.client.get(f"{url}?username={self.first_user.username}") + self.assertEqual(response.status_code, 200) + self.assertEqual(response.data[0]['token'], Token.objects.get(user=self.first_user).key) + + def test_should_have_no_access_to_token_of_other_user(self): + url = drf_reverse('users:public-user-list') + response = self.client.get(f"{url}?username={self.second_user.username}") + self.assertEqual(response.status_code, 200) + self.assertEqual(response.data[0]['token'], None)