search

viraxslot / online-school-app

Backend for testing purposes.
0 stars 0 forks source link

'404 not found' on admin changing the course created by another admin #54

Open LarisaTerenteva opened 2 years ago

LarisaTerenteva commented 2 years ago

Description: When admin user tries to change the course, created by another admin, unexpected code 404 not found and error message ('Unable to find course record(s)') are shown.

Pre-conditions:

There is at least two active users with admin role (here admin1 and admin2);

Steps to reproduce:

  1. Login to admin1;
  2. Save access token for admin1;
  3. Create a new category by POST request (http://qa-school-test.quantori.academy/api/v1/categories) using saved admin1 access token, input in request body is: {"title": "string"}, with 'title' being a string of valid length (3-100) and allowed characters (RU/EN alphabet, space, digits);
  4. Save the newly created category id to use in following request;
  5. Login to admin2 account;
  6. Save access token for admin2;
  7. Create a new course by POST request (http://qa-school-test.quantori.academy/api/v1/courses) using saved admin2 access token, input in request body is: {"title": "string", "description": "string", "visible": true, "categoryId": 0}, with 'title' being string of valid length (3-100) and allowed characters (RU/EN alphabet, space, digits), 'description' being string of valid length (3-255 as implemented at the moment), 'visible' being boolean, 'categoryId' being the id of the category created on the step 3;
  8. Save the newly created course id to use in following request;
  9. Try making PATCH request (http://qa-school-test.quantori.academy/api/v1/courses), using saved admin1 access token, input in request body is: { "id": 0, "title": "string", "description": "string", "categoryId": 0}, with 'id' being the id of the course created on the step 7, 'title' being string of valid length (3-100) and allowed characters (RU/EN alphabet, space, digits), 'description' being string of valid length (3-255 as implemented at the moment), 'categoryId' being the id of the category created on the step 3

Post-conditions:

  1. Delete the course created on step 7 by DELETE request (http://qa-school-test.quantori.academy/api/v1/courses/{courseId}) using admin2 access token;
  2. Make sure, course is deleted;
  3. Delete the category created on step 3 by DELETE request (http://qa-school-test.quantori.academy/api/v1/courses/{categoryId}) using admin1 access token;
  4. Make sure, category is deleted

Actual behavior:

  1. Response code is 404 Not found
  2. Error message 'Unable to find course record(s)' is shown
  3. Course is not changed

Expected behavior:

  1. Code 403 Unauthorized
  2. Error message is shown: 'You're not owner of this course, you can't change/remove it'
  3. No changes applied to the course

Screenshots 8

LarisaTerenteva commented 2 years ago

It seems like there are four cases sharing the same unexpected behavior (404 code and 'Unable to find course record(s)'):

  1. Teacher tries to change a course created by another teacher #40 ;
  2. Teacher tries to change a course created by admin #26 , #46
  3. Admin tries to change a course created by teacher #32
  4. Admin tries to change a course created by another admin (this one, couldn't find a duplicate for this).
viraxslot commented 2 years ago

Code 403 Unauthorized -> Forbidden