fixup! ♻️(backend) update permission to sign for contract of batch order

Author: jonathanreveille

src/backend/joanie/core/api/client/__init__.py

@@ -1100,6 +1100,12 @@ def get_queryset(self):
                 type=OpenApiTypes.UUID,
                 many=True,
             ),
+            OpenApiParameter(
+                name="from_batch_order",
+                description="Boolean value if we want contracts from batch orders or not",
+                required=False,
+                type=OpenApiTypes.BOOL,
+            ),
         ],
     )
     @action(
@@ -1115,12 +1121,14 @@ def contracts_signature_link(self, request, *args, **kwargs):
         organization = self.get_object()
         contract_ids = request.query_params.getlist("contract_ids")
         offering_ids = request.query_params.getlist("offering_ids")
+        from_batch_order = request.query_params.get("from_batch_order", False)
 
         try:
             (signature_link, ids) = organization.contracts_signature_link(
                 request.user,
                 contract_ids=contract_ids,
                 offering_ids=offering_ids,
+                from_batch_order=from_batch_order,
             )
         except NoContractToSignError as error:
             return Response({"detail": f"{error}"}, status=HTTPStatus.BAD_REQUEST)

src/backend/joanie/core/models/contracts.py

@@ -314,7 +314,7 @@ def get_abilities(self, user):
             abilities = (
                 self.order.organization.get_abilities(user=user)
                 if self.order
-                else self.batch_orders.first().organization.get_abilities(user=user)
+                else self.batch_order.organization.get_abilities(user=user)
             )
             can_sign = abilities.get("sign_contracts", False)
 

src/backend/joanie/core/models/courses.py

@@ -341,20 +341,32 @@ def signature_backend_references_to_sign(self, **kwargs):
         Return the list of references that should be signed by the organization.
         """
         filters = Q()
+        from_batch_order = kwargs.get("from_batch_order")
+
         if contract_ids := kwargs.get("contract_ids"):
             filters &= Q(id__in=contract_ids)
-        if relation_ids := kwargs.get("offering_ids"):
-            filters &= Q(order__product__offerings__id__in=relation_ids)
+
+        if offering_ids := kwargs.get("offering_ids"):
+            if from_batch_order:
+                filters &= Q(batch_order__relation__id__in=offering_ids)
+            else:
+                filters &= Q(order__product__offerings__id__in=offering_ids)
+
+        if from_batch_order:
+            filters &= Q(batch_order__organization=self)
+            exclude_filter = Q(batch_order__state=enums.BATCH_ORDER_STATE_CANCELED)
+        else:
+            filters &= Q(order__organization=self)
+            exclude_filter = Q(order__state=enums.ORDER_STATE_CANCELED)
 
         contracts_to_sign = list(
             Contract.objects.filter(
                 filters,
                 signature_backend_reference__isnull=False,
                 submitted_for_signature_on__isnull=False,
                 student_signed_on__isnull=False,
-                order__organization=self,
             )
-            .exclude(order__state=enums.ORDER_STATE_CANCELED)
+            .exclude(exclude_filter)
             .values_list("id", "signature_backend_reference")
         )
 

src/backend/joanie/tests/core/api/organizations/test_contracts_signature_link.py

@@ -387,3 +387,323 @@ def test_api_organization_contracts_signature_link_cumulative_filters(self):
             response.json(),
             {"detail": "Some contracts are not available for this organization."},
         )
+
+    def test_api_organization_contracts_from_batch_order_signature_link_without_owner(
+        self,
+    ):
+        """
+        Authenticated users which is not an organization owner should not be able
+        to sign contracts in bulk.
+        """
+        organization_roles_not_owner = [
+            role[0]
+            for role in OrganizationAccess.ROLE_CHOICES
+            if role[0] != enums.OWNER
+        ]
+
+        for organization_role in organization_roles_not_owner:
+            with self.subTest(role=organization_role):
+                user = factories.UserFactory()
+                organization = factories.BatchOrderFactory(
+                    state=enums.BATCH_ORDER_STATE_TO_SIGN
+                ).organization
+                factories.UserOrganizationAccessFactory(
+                    user=user,
+                    organization=organization,
+                    role=organization_role,
+                )
+
+                token = self.generate_token_from_user(user)
+
+                response = self.client.get(
+                    f"/api/v1.0/organizations/{organization.id}/contracts-signature-link/",
+                    HTTP_AUTHORIZATION=f"Bearer {token}",
+                )
+
+                self.assertContains(
+                    response,
+                    '{"detail":"You do not have permission to perform this action."}',
+                    status_code=HTTPStatus.FORBIDDEN,
+                )
+
+    def test_api_organization_contracts_from_batch_order_signature_link_success(self):
+        """
+        Authenticated users with the owner role should be able to sign contracts in bulk.
+        Contracts where the batch order is canceled should not be returned.
+        """
+        user = factories.UserFactory()
+        batch_order = factories.BatchOrderFactory(state=enums.BATCH_ORDER_STATE_TO_SIGN)
+        offering = batch_order.offering
+        organization = batch_order.organization
+        factories.UserOrganizationAccessFactory(
+            user=user,
+            organization=organization,
+            role=enums.OWNER,
+        )
+
+        # Create one batch order that is canceled
+        batch_order_2 = factories.BatchOrderFactory(
+            organization=organization,
+            state=enums.BATCH_ORDER_STATE_TO_SIGN,
+        )
+        batch_order_2.flow.cancel()
+        # Create simple orders that should not be retrieved
+        factories.OrderGeneratorFactory.create_batch(
+            3,
+            organization=organization,
+            product=offering.product,
+            course=offering.course,
+        )
+
+        token = self.generate_token_from_user(user)
+
+        response = self.client.get(
+            f"/api/v1.0/organizations/{organization.id}/contracts-signature-link/"
+            "?from_batch_order=true",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+
+        content = response.json()
+
+        self.assertStatusCodeEqual(response, HTTPStatus.OK)
+        self.assertIn(
+            "https://dummysignaturebackend.fr/?reference=",
+            content["invitation_link"],
+        )
+        # We should not find the batch_order_2 contract since it's canceled.
+        self.assertCountEqual(
+            content["contract_ids"],
+            [str(batch_order.contract.id)],
+        )
+
+    def test_api_organization_contracts_from_batch_order_signature_link_with_offering_id(
+        self,
+    ):
+        """
+        Authenticated user with the owner role should be able to sign the contracts in
+        bulk by passing offering ids.
+        """
+        user = factories.UserFactory()
+        [organization, other_organization] = factories.OrganizationFactory.create_batch(
+            2
+        )
+        factories.UserOrganizationAccessFactory(
+            user=user,
+            organization=organization,
+            role=enums.OWNER,
+        )
+        offering_1 = factories.OfferingFactory(
+            organizations=[organization, other_organization],
+            product__contract_definition_batch_order=factories.ContractDefinitionFactory(),
+            product__quote_definition=factories.QuoteDefinitionFactory(),
+            product__price=0,
+        )
+        offering_2 = factories.OfferingFactory(
+            organizations=[organization],
+            product__contract_definition_batch_order=factories.ContractDefinitionFactory(),
+            product__quote_definition=factories.QuoteDefinitionFactory(),
+            product__price=0,
+        )
+        batch_order_1 = factories.BatchOrderFactory(
+            offering=offering_1,
+            organization=organization,
+            state=enums.BATCH_ORDER_STATE_TO_SIGN,
+        )
+        factories.BatchOrderFactory(
+            offering=offering_1,
+            organization=other_organization,
+            state=enums.BATCH_ORDER_STATE_TO_SIGN,
+        )
+        batch_order_2 = factories.BatchOrderFactory(
+            offering=offering_2,
+            organization=organization,
+            state=enums.BATCH_ORDER_STATE_TO_SIGN,
+        )
+
+        token = self.generate_token_from_user(user)
+
+        response = self.client.get(
+            f"/api/v1.0/organizations/{organization.id}/contracts-signature-link/"
+            f"?from_batch_order=true&offering_ids={offering_1.id}",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+
+        content = response.json()
+
+        self.assertStatusCodeEqual(response, HTTPStatus.OK)
+        self.assertIn(
+            "https://dummysignaturebackend.fr/?reference=",
+            content["invitation_link"],
+        )
+        # We should only find batch_order_1.contract in the response
+        self.assertCountEqual(
+            content["contract_ids"],
+            [str(batch_order_1.contract.id)],
+        )
+
+        response = self.client.get(
+            f"/api/v1.0/organizations/{organization.id}/contracts-signature-link/"
+            f"?from_batch_order=true&offering_ids={offering_1.id}&offering_ids={offering_2.id}",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+
+        content = response.json()
+        self.assertStatusCodeEqual(response, HTTPStatus.OK)
+        self.assertIn(
+            "https://dummysignaturebackend.fr/?reference=",
+            content["invitation_link"],
+        )
+        # We should only find both contracts related to organization's batch orders.
+        self.assertCountEqual(
+            content["contract_ids"],
+            [str(batch_order_1.contract.id), str(batch_order_2.contract.id)],
+        )
+
+    def test_api_organization_contracts_from_batch_order_signature_link_with_contract_ids(
+        self,
+    ):
+        """
+        Authenticated user with the owner role should be able to sign the contracts in
+        bulk by passing contract ids.
+        """
+        user = factories.UserFactory()
+        organization = factories.OrganizationFactory()
+        factories.UserOrganizationAccessFactory(
+            user=user,
+            organization=organization,
+            role=enums.OWNER,
+        )
+        batch_order_1 = factories.BatchOrderFactory(
+            organization=organization, state=enums.BATCH_ORDER_STATE_TO_SIGN
+        )
+        batch_order_2 = factories.BatchOrderFactory(
+            organization=organization, state=enums.BATCH_ORDER_STATE_TO_SIGN
+        )
+
+        token = self.generate_token_from_user(user)
+
+        response = self.client.get(
+            f"/api/v1.0/organizations/{organization.id}/contracts-signature-link/"
+            f"?from_batch_order=true&contract_ids={batch_order_1.contract.id}",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+
+        content = response.json()
+        self.assertStatusCodeEqual(response, HTTPStatus.OK)
+        self.assertIn(
+            "https://dummysignaturebackend.fr/?reference=",
+            content["invitation_link"],
+        )
+        self.assertCountEqual(
+            content["contract_ids"],
+            [str(batch_order_1.contract.id)],
+        )
+
+        response = self.client.get(
+            f"/api/v1.0/organizations/{organization.id}/contracts-signature-link/"
+            f"?from_batch_order=true&contract_ids={batch_order_1.contract.id}"
+            f"&contract_ids={batch_order_2.contract.id}",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+
+        content = response.json()
+
+        self.assertStatusCodeEqual(response, HTTPStatus.OK)
+        self.assertIn(
+            "https://dummysignaturebackend.fr/?reference=",
+            content["invitation_link"],
+        )
+        self.assertCountEqual(
+            content["contract_ids"],
+            [str(batch_order_1.contract.id), str(batch_order_2.contract.id)],
+        )
+
+    def test_api_organization_contracts_from_batch_order_signature_link_cumulative_filters(
+        self,
+    ):
+        """
+        When filter by both a list of offering ids and a list of contract ids,
+        those filter should be combined.
+        """
+        user = factories.UserFactory()
+        organization = factories.OrganizationFactory()
+        factories.UserOrganizationAccessFactory(
+            user=user,
+            organization=organization,
+            role=enums.OWNER,
+        )
+        offering_1 = factories.OfferingFactory(
+            organizations=[organization],
+            product__contract_definition_batch_order=factories.ContractDefinitionFactory(),
+            product__quote_definition=factories.QuoteDefinitionFactory(),
+            product__price=0,
+        )
+        offering_2 = factories.OfferingFactory(
+            organizations=[organization],
+            product__contract_definition_batch_order=factories.ContractDefinitionFactory(),
+            product__quote_definition=factories.QuoteDefinitionFactory(),
+            product__price=0,
+        )
+        batch_order_1 = factories.BatchOrderFactory(
+            offering=offering_1,
+            organization=organization,
+            state=enums.BATCH_ORDER_STATE_TO_SIGN,
+        )
+        batch_order_2 = factories.BatchOrderFactory(
+            offering=offering_2,
+            organization=organization,
+            state=enums.BATCH_ORDER_STATE_TO_SIGN,
+        )
+
+        token = self.generate_token_from_user(user)
+
+        response = self.client.get(
+            f"/api/v1.0/organizations/{organization.id}/contracts-signature-link/"
+            f"?from_batch_order=true&contract_ids={batch_order_1.contract.id}"
+            f"&offering_ids={offering_1.id}",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+
+        content = response.json()
+        self.assertStatusCodeEqual(response, HTTPStatus.OK)
+        self.assertIn(
+            "https://dummysignaturebackend.fr/?reference=",
+            content["invitation_link"],
+        )
+        self.assertCountEqual(
+            content["contract_ids"],
+            [str(batch_order_1.contract.id)],
+        )
+
+        response = self.client.get(
+            f"/api/v1.0/organizations/{organization.id}/contracts-signature-link/"
+            f"?from_batch_order=true&contract_ids={batch_order_2.contract.id}"
+            f"&offering_ids={offering_2.id}",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+
+        content = response.json()
+        self.assertStatusCodeEqual(response, HTTPStatus.OK)
+        self.assertIn(
+            "https://dummysignaturebackend.fr/?reference=",
+            content["invitation_link"],
+        )
+        self.assertCountEqual(
+            content["contract_ids"],
+            [str(batch_order_2.contract.id)],
+        )
+
+        # Requesting a wrong pair of offering and contract available
+        response = self.client.get(
+            f"/api/v1.0/organizations/{organization.id}/contracts-signature-link/"
+            f"?from_batch_order=true&contract_ids={batch_order_1.contract.id}"
+            f"&offering_ids={offering_2.id}",
+            HTTP_AUTHORIZATION=f"Bearer {token}",
+        )
+
+        content = response.json()
+        self.assertStatusCodeEqual(response, HTTPStatus.BAD_REQUEST)
+        self.assertEqual(
+            response.json(),
+            {"detail": "Some contracts are not available for this organization."},
+        )