feat: Implement logic to prevent deletion of system tasks and rewards; update APIs and tests accordingly

2026-02-01 16:57:12 -05:00
parent f14de28daa
commit e42c6c1ef2
16 changed files with 324 additions and 87 deletions
--- a/backend/tests/test_reward_api.py
+++ b/backend/tests/test_reward_api.py
@@ -1,17 +1,47 @@
 import pytest
 import os
+
 from flask import Flask
 from api.reward_api import reward_api
-from db.db import reward_db, child_db
+from api.auth_api import auth_api
+from db.db import reward_db, child_db, users_db
 from tinydb import Query
 from models.reward import Reward
+import jwt
+
+
+# Test user credentials
+TEST_EMAIL = "testuser@example.com"
+TEST_PASSWORD = "testpass"
+
+def add_test_user():
+    users_db.remove(Query().email == TEST_EMAIL)
+    users_db.insert({
+        "id": "testuserid",
+        "first_name": "Test",
+        "last_name": "User",
+        "email": TEST_EMAIL,
+        "password": TEST_PASSWORD,
+        "verified": True,
+        "image_id": "boy01"
+    })
+
+def login_and_set_cookie(client):
+    resp = client.post('/login', json={"email": TEST_EMAIL, "password": TEST_PASSWORD})
+    assert resp.status_code == 200
+    token = resp.headers.get("Set-Cookie")
+    assert token and "token=" in token

@pytest.fixture
 def client():
    app = Flask(__name__)
    app.register_blueprint(reward_api)
+    app.register_blueprint(auth_api)
    app.config['TESTING'] = True
+    app.config['SECRET_KEY'] = 'supersecretkey'
    with app.test_client() as client:
+        add_test_user()
+        login_and_set_cookie(client)
        yield client

@pytest.fixture(scope="session", autouse=True)
@@ -59,7 +89,7 @@ def test_delete_reward_not_found(client):
    assert b'Reward not found' in response.data

 def test_delete_assigned_reward_removes_from_child(client):
-    # create task and child with the task already assigned
+    # SYSTEM reward: should not be deletable (expect 403)
    reward_db.insert({'id': 'r_delete_assigned', 'name': 'Temp Task', 'cost': 5})
    child_db.insert({
        'id': 'child_for_reward_delete',
@@ -69,15 +99,27 @@ def test_delete_assigned_reward_removes_from_child(client):
        'rewards': ['r_delete_assigned'],
        'tasks': []
    })
-
    ChildQuery = Query()
-    # precondition: child has the task
    assert 'r_delete_assigned' in child_db.search(ChildQuery.id == 'child_for_reward_delete')[0].get('rewards', [])
-
-    # call the delete endpoint
    resp = client.delete('/reward/r_delete_assigned')
-    assert resp.status_code == 200
-
-    # verify the task id is no longer in the child's tasks
-    child = child_db.search(ChildQuery.id == 'child_for_reward_delete')[0]
-    assert 'r_delete_assigned' not in child.get('rewards', [])
+    assert resp.status_code == 403
+    # USER reward: should be deletable (expect 200)
+    reward_db.insert({'id': 'r_user_owned', 'name': 'User Reward', 'cost': 2, 'user_id': 'testuserid'})
+    child_db.insert({
+        'id': 'child_for_user_reward',
+        'name': 'UserChild',
+        'age': 8,
+        'points': 0,
+        'rewards': ['r_user_owned'],
+        'tasks': []
+    })
+    # Fetch and update if needed
+    child2 = child_db.search(ChildQuery.id == 'child_for_user_reward')[0]
+    if 'r_user_owned' not in child2.get('rewards', []):
+        child2['rewards'] = ['r_user_owned']
+        child_db.update({'rewards': ['r_user_owned']}, ChildQuery.id == 'child_for_user_reward')
+    assert 'r_user_owned' in child_db.search(ChildQuery.id == 'child_for_user_reward')[0].get('rewards', [])
+    resp2 = client.delete('/reward/r_user_owned')
+    assert resp2.status_code == 200
+    child2 = child_db.search(ChildQuery.id == 'child_for_user_reward')[0]
+    assert 'r_user_owned' not in child2.get('rewards', [])