More tests.

hc/front/tests/test_channel_checks.py

@@ -0,0 +1,35 @@
+from django.contrib.auth.models import User
+from django.test import TestCase
+
+from hc.api.models import Channel
+
+
+class ChannelChecksTestCase(TestCase):
+
+    def setUp(self):
+        self.alice = User(username="alice")
+        self.alice.set_password("password")
+        self.alice.save()
+
+        self.channel = Channel(user=self.alice, kind="email")
+        self.channel.value = "[email protected]"
+        self.channel.save()
+
+    def test_it_works(self):
+        url = "/channels/%s/checks/" % self.channel.code
+
+        self.client.login(username="alice", password="password")
+        r = self.client.get(url)
+        self.assertContains(r, "[email protected]", status_code=200)
+
+    def test_it_checks_owner(self):
+        mallory = User(username="mallory")
+        mallory.set_password("password")
+        mallory.save()
+
+        # channel does not belong to mallory so this should come back
+        # with 403 Forbidden:
+        url = "/channels/%s/checks/" % self.channel.code
+        self.client.login(username="mallory", password="password")
+        r = self.client.get(url)
+        assert r.status_code == 403

hc/front/tests/test_remove_channel.py

@@ -0,0 +1,43 @@
+from django.contrib.auth.models import User
+from django.test import TestCase
+
+from hc.api.models import Channel
+
+
+class RemoveChannelTestCase(TestCase):
+
+    def setUp(self):
+        self.alice = User(username="alice")
+        self.alice.set_password("password")
+        self.alice.save()
+
+        self.channel = Channel(user=self.alice, kind="email")
+        self.channel.value = "[email protected]"
+        self.channel.save()
+
+    def test_it_works(self):
+        url = "/channels/%s/remove/" % self.channel.code
+
+        self.client.login(username="alice", password="password")
+        r = self.client.post(url)
+        assert r.status_code == 302
+
+        assert Channel.objects.count() == 0
+
+    def test_it_handles_bad_uuid(self):
+        url = "/channels/not-uuid/remove/"
+
+        self.client.login(username="alice", password="password")
+        r = self.client.post(url)
+        assert r.status_code == 400
+
+    def test_it_checks_owner(self):
+        url = "/channels/%s/remove/" % self.channel.code
+
+        mallory = User(username="mallory")
+        mallory.set_password("password")
+        mallory.save()
+
+        self.client.login(username="mallory", password="password")
+        r = self.client.post(url)
+        assert r.status_code == 403

hc/front/tests/test_verify_email.py

@@ -0,0 +1,35 @@
+from django.contrib.auth.models import User
+from django.test import TestCase
+
+from hc.api.models import Channel
+
+
+class VerifyEmailTestCase(TestCase):
+
+    def setUp(self):
+        self.alice = User(username="alice")
+        self.alice.set_password("password")
+        self.alice.save()
+
+        self.channel = Channel(user=self.alice, kind="email")
+        self.channel.value = "[email protected]"
+        self.channel.save()
+
+    def test_it_works(self):
+        token = self.channel.make_token()
+        url = "/channels/%s/verify/%s/" % (self.channel.code, token)
+
+        r = self.client.post(url)
+        assert r.status_code == 200, r.status_code
+
+        channel = Channel.objects.get(code=self.channel.code)
+        assert channel.email_verified
+
+    def test_it_handles_bad_token(self):
+        url = "/channels/%s/verify/bad-token/" % self.channel.code
+
+        r = self.client.post(url)
+        assert r.status_code == 200, r.status_code
+
+        channel = Channel.objects.get(code=self.channel.code)
+        assert not channel.email_verified

hc/front/views.py

@@ -159,7 +159,6 @@ def remove_check(request, code):
 @login_required
 @uuid_or_400
 def log(request, code):
-
     check = Check.objects.get(code=code)
     if check.user != request.user:
         return HttpResponseForbidden()
@@ -228,8 +227,10 @@ def add_channel(request):
 @login_required
 @uuid_or_400
 def channel_checks(request, code):
-
     channel = Channel.objects.get(code=code)
+    if channel.user != request.user:
+        return HttpResponseForbidden()
+
     assigned = set([check.code for check in channel.checks.all()])
     checks = Check.objects.filter(user=request.user).order_by("created")