From 19a2f4163ac8a5800c6eb8f647a22cab8b3ea901 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Thu, 4 Apr 2019 18:17:56 +0200
Subject: [PATCH] Add a few permission tests

---
 src/tests/api/test_permissions.py     | 4 ++++
 src/tests/control/test_permissions.py | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/src/tests/api/test_permissions.py b/src/tests/api/test_permissions.py
index 2e47171e98..b1ae98586e 100644
--- a/src/tests/api/test_permissions.py
+++ b/src/tests/api/test_permissions.py
@@ -95,6 +95,7 @@ event_permission_sub_urls = [
     ('patch', 'can_change_items', 'questions/1/options/1/', 404),
     ('delete', 'can_change_items', 'questions/1/options/1/', 404),
     ('post', 'can_change_orders', 'orders/', 400),
+    ('patch', 'can_change_orders', 'orders/ABC12/', 404),
     ('post', 'can_change_orders', 'orders/ABC12/mark_paid/', 404),
     ('post', 'can_change_orders', 'orders/ABC12/mark_pending/', 404),
     ('post', 'can_change_orders', 'orders/ABC12/mark_expired/', 404),
@@ -102,6 +103,9 @@ event_permission_sub_urls = [
     ('post', 'can_change_orders', 'orders/ABC12/approve/', 404),
     ('post', 'can_change_orders', 'orders/ABC12/deny/', 404),
     ('post', 'can_change_orders', 'orders/ABC12/extend/', 400),
+    ('post', 'can_change_orders', 'orders/ABC12/create_invoice/', 404),
+    ('post', 'can_change_orders', 'orders/ABC12/resend_link/', 404),
+    ('post', 'can_change_orders', 'orders/ABC12/regenerate_secrets/', 404),
     ('get', 'can_view_orders', 'orders/ABC12/payments/', 404),
     ('get', 'can_view_orders', 'orders/ABC12/payments/1/', 404),
     ('get', 'can_view_orders', 'orders/ABC12/refunds/', 404),
diff --git a/src/tests/control/test_permissions.py b/src/tests/control/test_permissions.py
index 3103b6e5ce..e892cf5c12 100644
--- a/src/tests/control/test_permissions.py
+++ b/src/tests/control/test_permissions.py
@@ -66,6 +66,7 @@ event_urls = [
     "items/add",
     "items/1/",
     "items/1/variations",
+    "items/1/bundles",
     "items/1/up",
     "items/1/down",
     "items/1/delete",
@@ -112,6 +113,7 @@ event_urls = [
     "orders/ABC/refunds/1/cancel",
     "orders/ABC/refunds/1/process",
     "orders/ABC/refunds/1/done",
+    "orders/ABC/delete",
     "orders/ABC/",
     "orders/",
     "checkinlists/",
@@ -238,6 +240,9 @@ event_permission_urls = [
     ("can_change_items", "items/1/up", 404),
     ("can_change_items", "items/1/down", 404),
     ("can_change_items", "items/1/delete", 404),
+    ("can_change_items", "items/1/variations", 404),
+    ("can_change_items", "items/1/addons", 404),
+    ("can_change_items", "items/1/bundles", 404),
     # ("can_change_items", "categories/", 200),
     # We don't have to create categories and similar objects
     # for testing this, it is enough to test that a 404 error
@@ -272,6 +277,7 @@ event_permission_urls = [
     ("can_change_orders", "orders/FOO/change", 200),
     ("can_change_orders", "orders/FOO/approve", 200),
     ("can_change_orders", "orders/FOO/deny", 200),
+    ("can_change_orders", "orders/FOO/delete", 302),
     ("can_change_orders", "orders/FOO/comment", 405),
     ("can_change_orders", "orders/FOO/locale", 200),
     ("can_view_orders", "orders/FOO/answer/5/", 404),