diff --git a/src/registrar/assets/js/get-gov-admin.js b/src/registrar/assets/js/get-gov-admin.js index 2ce8d94da..277f81b72 100644 --- a/src/registrar/assets/js/get-gov-admin.js +++ b/src/registrar/assets/js/get-gov-admin.js @@ -863,4 +863,4 @@ function initializeWidgetOnList(list, parentId) { hideElement(urbanizationField) } } -})(); \ No newline at end of file +})(); diff --git a/src/registrar/config/urls.py b/src/registrar/config/urls.py index 4bf12894b..b58ff0d33 100644 --- a/src/registrar/config/urls.py +++ b/src/registrar/config/urls.py @@ -124,6 +124,11 @@ urlpatterns = [ AnalyticsView.as_view(), name="analytics", ), + path( + "admin/api/get-senior-official-from-federal-agency-json/", + get_senior_official_from_federal_agency_json, + name="get-senior-official-from-federal-agency-json" + ), path("admin/", admin.site.urls), path( "reports/export_data_type_user/", @@ -156,12 +161,6 @@ urlpatterns = [ path("api/v1/available/", available, name="available"), path("api/v1/get-report/current-federal", get_current_federal, name="get-current-federal"), path("api/v1/get-report/current-full", get_current_full, name="get-current-full"), - # TODO convert to admin view - path( - "api/v1/get-senior-official-from-federal-agency-json/", - get_senior_official_from_federal_agency_json, - name="get-senior-official-from-federal-agency-json" - ), path( "todo", lambda r: always_404(r, "We forgot to include this link, sorry."), diff --git a/src/registrar/tests/test_api.py b/src/registrar/tests/test_api.py new file mode 100644 index 000000000..3eb7453f1 --- /dev/null +++ b/src/registrar/tests/test_api.py @@ -0,0 +1,64 @@ +from django.urls import reverse +from django.test import TestCase, Client +from registrar.models import FederalAgency, SeniorOfficial, User +from django.contrib.auth import get_user_model +from registrar.tests.common import create_superuser, create_user + + +class GetSeniorOfficialJsonTest(TestCase): + def setUp(self): + self.client = Client() + self.user = get_user_model().objects.create_user(username="testuser", password="password") + + self.superuser = create_superuser() + self.analyst_user = create_user() + + self.agency = FederalAgency.objects.create(agency="Test Agency") + self.senior_official = SeniorOfficial.objects.create( + first_name="John", last_name="Doe", title="Director", federal_agency=self.agency + ) + + self.api_url = reverse("get-senior-official-from-federal-agency-json") + + def tearDown(self): + User.objects.all().delete() + SeniorOfficial.objects.all().delete() + FederalAgency.objects.all().delete() + + def test_get_senior_official_json_authenticated_superuser(self): + """Test that a superuser can fetch the senior official information.""" + self.client.login(username="superuser", password="adminpass") + response = self.client.get(self.api_url, {"agency_name": "Test Agency"}) + self.assertEqual(response.status_code, 200) + data = response.json() + self.assertEqual(data["id"], self.senior_official.id) + self.assertEqual(data["first_name"], "John") + self.assertEqual(data["last_name"], "Doe") + self.assertEqual(data["title"], "Director") + + def test_get_senior_official_json_authenticated_analyst(self): + """Test that an analyst user can fetch the senior official's information.""" + self.client.login(username="staffuser", password="userpass") + response = self.client.get(self.api_url, {"agency_name": "Test Agency"}) + self.assertEqual(response.status_code, 200) + data = response.json() + self.assertEqual(data["id"], self.senior_official.id) + self.assertEqual(data["first_name"], "John") + self.assertEqual(data["last_name"], "Doe") + self.assertEqual(data["title"], "Director") + + def test_get_senior_official_json_unauthenticated(self): + """Test that an unauthenticated user receives a 403 with an error message.""" + self.client.login(username="testuser", password="password") + response = self.client.get(self.api_url, {"agency_name": "Test Agency"}) + self.assertEqual(response.status_code, 403) + data = response.json() + self.assertEqual(data["error"], "You do not have access to this resource") + + def test_get_senior_official_json_not_found(self): + """Test that a request for a non-existent agency returns a 404 with an error message.""" + self.client.login(username="superuser", password="adminpass") + response = self.client.get(self.api_url, {"agency_name": "Non-Federal Agency"}) + self.assertEqual(response.status_code, 404) + data = response.json() + self.assertEqual(data["error"], "Senior Official not found") diff --git a/src/registrar/views/utility/api_views.py b/src/registrar/views/utility/api_views.py index 6bd349d0a..3b9c6f54c 100644 --- a/src/registrar/views/utility/api_views.py +++ b/src/registrar/views/utility/api_views.py @@ -14,12 +14,11 @@ logger = logging.getLogger(__name__) def get_senior_official_from_federal_agency_json(request): """Returns federal_agency information as a JSON""" - # This API is only accessible to admins + # This API is only accessible to admins and analysts superuser_perm = request.user.has_perm("registrar.full_access_permission") analyst_perm = request.user.has_perm("registrar.analyst_access_permission") if not request.user.is_authenticated or not analyst_perm or not superuser_perm: - # We intentionally don't return anything here - return {} + return JsonResponse({"error": "You do not have access to this resource"}, status=403) agency_name = request.GET.get("agency_name") agency = FederalAgency.objects.filter(agency=agency_name).first() @@ -29,4 +28,4 @@ def get_senior_official_from_federal_agency_json(request): so_dict = model_to_dict(senior_official) return JsonResponse(so_dict) else: - return JsonResponse({"error": "Senior Official not found"}) \ No newline at end of file + return JsonResponse({"error": "Senior Official not found"}, status=404)