1 files changed, 135 insertions, 2 deletions

diff --git a/ctrack/organisations/tests/test_views.py b/ctrack/organisations/tests/test_views.py
index dbd717f..a567fab 100644
--- a/ctrack/organisations/tests/test_views.py
+++ b/ctrack/organisations/tests/test_views.py
@@ -9,8 +9,8 @@ from ctrack.organisations.tests.factories import (
     OrganisationFactory,
     SingleDateTimeEventFactory,
 )
-from ctrack.organisations.views import IncidentReportCreateView
-
+from ctrack.organisations.views import IncidentReportCreateView, OrganisationDetailView
+from ..utils import filter_private_events
 from ..views import OrganisationListView
 
 pytestmark = pytest.mark.django_db
@@ -42,6 +42,139 @@ def test_meetings_in_organisation_detail_view(user, client, org_with_people):
     assert "First Meeting" in html
 
 
+def test_private_event_filter(user, org_with_people):
+    """
+    In this test we are creating five events, using two different users.
+    Each event will be set to either private or not private. We are testing
+    a function that will only allow private notes belonging to the logged in,
+    or request.user user to be added to the view context. The context is not
+    referred to here - only the utility function under test. The output from
+    that filter function will go forward into the view context.
+    """
+    person = org_with_people.person_set.first()
+    e1_user = SingleDateTimeEventFactory(
+        type_descriptor="MEETING",
+        short_description="First Event with user",
+        private=True,
+        user=user,
+    )
+    e2_user = SingleDateTimeEventFactory(
+        type_descriptor="MEETING",
+        short_description="Second Event with user",
+        private=False,
+        user=user,
+    )
+    e3_user = SingleDateTimeEventFactory(
+        type_descriptor="MEETING",
+        short_description="Third Event with user",
+        private=True,
+        user=user,
+    )
+    e1_user.participants.add(person)
+    e1_user.save()
+    e2_user.participants.add(person)
+    e2_user.save()
+    e3_user.participants.add(person)
+    e3_user.save()
+    user2 = get_user_model().objects.create(username="sam", email="asd@asdsd.com", password="123")
+    e1_user2 = SingleDateTimeEventFactory(
+        type_descriptor="MEETING",
+        short_description="First Event with user2",
+        private=False,
+        user=user2,
+    )
+    e2_user2 = SingleDateTimeEventFactory(
+        type_descriptor="MEETING",
+        short_description="Second Event with user2",
+        private=True,
+        user=user2,
+    )
+    e1_user2.participants.add(person)
+    e1_user2.save()
+    e2_user2.participants.add(person)
+    e2_user2.save()
+    # This user needs permission to access the list view
+    org_list_permission = Permission.objects.get(name="Can view organisation")
+    assert user.user_permissions.count() == 0
+    user.user_permissions.add(org_list_permission)
+    assert user.has_perm("organisations.view_organisation")
+    user.save()
+    factory = RequestFactory()
+    request = factory.get(reverse("organisations:detail", args=[org_with_people.slug]))
+    request.user = user
+    response = OrganisationDetailView.as_view()(request, slug=org_with_people.slug)
+    assert response.status_code == 200
+    events = person.get_single_datetime_events()
+    assert events.count() == 5
+    assert len(filter_private_events(events, user2)) == 3
+
+
+def test_logged_in_user_can_only_see_their_private_events(
+    user, org_with_people, client
+):
+    org_list_permission = Permission.objects.get(name="Can view organisation")
+    assert user.user_permissions.count() == 0
+    user.user_permissions.add(org_list_permission)
+    assert user.has_perm("organisations.view_organisation")
+    user.save()
+    person = org_with_people.person_set.first()
+
+    # This user creates three events
+    e1 = SingleDateTimeEventFactory(
+        type_descriptor="MEETING",
+        short_description="First Event",
+        private=True,
+        user=user,
+    )
+    e2 = SingleDateTimeEventFactory(
+        type_descriptor="MEETING",
+        short_description="Second Event",
+        private=False,
+        user=user,
+    )
+    e3 = SingleDateTimeEventFactory(
+        type_descriptor="MEETING",
+        short_description="Third Event",
+        private=True,
+        user=user,
+    )
+    e1.participants.add(person)
+    e1.save()
+    e2.participants.add(person)
+    e2.save()
+    e3.participants.add(person)
+    e3.save()
+    response = client.get(
+        reverse("organisations:detail", kwargs={"slug": org_with_people.slug})
+    )
+    assert response.status_code == 200
+    html = response.content.decode("utf-8")
+    assert "First Event" in html
+    assert "Second Event" in html
+    assert "Third Event" in html
+    assert "PRIVATE" in html
+
+    # A second user adds events based on this person/organisation
+    user2 = get_user_model().objects.create(
+        username="bobbins", email="bobbins@gog.com", password="bobbins123345"
+    )
+    user2.user_permissions.add(org_list_permission)
+    assert user2.has_perm("organisations.view_organisation")
+    user2.save()
+    client.logout()
+    client.force_login(user2)
+    response2 = client.get(
+        reverse("organisations:detail", kwargs={"slug": org_with_people.slug})
+    )
+    html2 = response2.content.decode("utf-8")
+    assert response2.status_code == 200
+    # They should not be able to see First Event which was created by another
+    # user and marked private.
+    assert "First Event" not in html2
+    assert "Second Event" in html2
+    assert "Third Event" not in html2
+
+
 # https://docs.djangoproject.com/en/3.0/topics/testing/advanced/#example
 def test_organisation_list_view():
     OrganisationFactory.create()