Fix permissioning and add 400 response

pennlabs · Nov 25, 2024 · df498d0 · df498d0
1 parent bf9aeea
commit df498d0
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 1 deletion.
diff --git a/backend/clubs/permissions.py b/backend/clubs/permissions.py
@@ -225,7 +225,12 @@ def has_object_permission(self, request, view, obj):
 
             if not old_type == FAIR_TYPE and new_type == FAIR_TYPE:
                 return False
-        elif view.action in ["buyers", "create_tickets", "issue_tickets"]:
+        elif view.action in [
+            "buyers",
+            "create_tickets",
+            "issue_tickets",
+            "email_blast",
+        ]:
             if not request.user.is_authenticated:
                 return False
             membership = find_membership_helper(request.user, obj.club)

diff --git a/backend/clubs/views.py b/backend/clubs/views.py
@@ -3067,6 +3067,17 @@ def email_blast(self, request, *args, **kwargs):
                                     type: string
                                     description: A message indicating how many
                                         recipients received the blast
+            "400":
+                description: Content field was empty or missing
+                content:
+                    application/json:
+                        schema:
+                            type: object
+                            properties:
+                                detail:
+                                    type: string
+                                    description: Error message indicating content
+                                        was not provided
             "404":
                 description: Event not found
                 content:
@@ -3088,6 +3099,13 @@ def email_blast(self, request, *args, **kwargs):
         officer_emails = event.club.get_officer_emails()
         emails = list(holder_emails) + list(officer_emails)
 
+        content = request.data.get("content").strip()
+        if not content:
+            return Response(
+                {"detail": "Content must be specified"},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+
         send_mail_helper(
             name="blast",
             subject=f"Update on {event.name} from {event.club.name}",

diff --git a/backend/tests/clubs/test_ticketing.py b/backend/tests/clubs/test_ticketing.py
@@ -428,6 +428,15 @@ def test_email_blast(self):
         )
         self.assertIn("Test email blast content", email.body)
 
+    def test_email_blast_empty_content(self):
+        self.client.login(username=self.user1.username, password="test")
+        resp = self.client.post(
+            reverse("club-events-email-blast", args=(self.club1.code, self.event1.pk)),
+            {"content": ""},
+            format="json",
+        )
+        self.assertEqual(resp.status_code, 400, resp.content)
+
     def test_get_tickets_information_no_tickets(self):
         # Delete all the tickets
         Ticket.objects.all().delete()