"""
Comprehensive unit tests for AI analysis reporting API endpoints.
Tests cover:
- Report submission endpoints for BaZi, Number, LiuYao
- Authentication and authorization
- Input validation and error handling
- Edge cases and security scenarios
"""
import json
from django.test import TestCase, Client
from django.contrib.auth import get_user_model
from django.urls import reverse
from django.utils import timezone
from datetime import date, time
from rest_framework.test import APITestCase, APIClient
from rest_framework import status
from rest_framework_simplejwt.tokens import RefreshToken
from bazi.models import Person
from liuyao.models import liuyao
from unittest.mock import patch, MagicMock
User = get_user_model()
class ReportAPIAuthenticationTests(APITestCase):
"""Test authentication and authorization for report endpoints"""
def setUp(self):
"""Set up test data"""
# Add admin for report notifications
from tests.test_utils import create_admin_with_report_permissions
self.admin = create_admin_with_report_permissions()
self.user = User.objects.create_user(
phone='13800138000',
email='test@example.com',
first_name='Test',
last_name='User'
)
self.other_user = User.objects.create_user(
phone='13800138001',
email='other@example.com',
first_name='Other',
last_name='User'
)
self.person = Person.objects.create(
name='Test Person',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'bazi_analysis': 'Test content'}
)
self.liuyao_entry = liuyao.objects.create(
question='Test Question',
user=self.user,
qdate=timezone.now(),
y1='1', y2='0', y3='1', y4='0', y5='1', y6='0',
analysis_status='completed',
ai_analysis={'response': 'Test LiuYao content'}
)
def test_report_bazi_without_authentication(self):
"""Test BaZi report endpoint without authentication"""
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
data = {'category': 'inappropriate_content', 'message': 'Test report'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_report_liuyao_without_authentication(self):
"""Test LiuYao report endpoint without authentication"""
url = reverse('api:liuyao_report', kwargs={'pk': self.liuyao_entry.id})
data = {'category': 'inaccurate_analysis', 'message': 'Test report'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_report_number_without_authentication(self):
"""Test Number report endpoint without authentication"""
url = reverse('api:number_report', kwargs={'pk': self.person.id})
data = {'category': 'technical_error', 'message': 'Test report'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_report_other_users_bazi(self):
"""Test that user cannot report other user's BaZi analysis"""
self.client.force_authenticate(user=self.other_user)
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
data = {'category': 'inappropriate_content', 'message': 'Test report'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertIn('not found', response.data['error'].lower())
def test_report_other_users_liuyao(self):
"""Test that user cannot report other user's LiuYao analysis"""
self.client.force_authenticate(user=self.other_user)
url = reverse('api:liuyao_report', kwargs={'pk': self.liuyao_entry.id})
data = {'category': 'inappropriate_content', 'message': 'Test report'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertIn('not found', response.data['error'].lower())
def test_valid_jwt_authentication(self):
"""Test valid JWT token authentication works"""
refresh = RefreshToken.for_user(self.user)
access_token = str(refresh.access_token)
self.client.credentials(HTTP_AUTHORIZATION=f'Bearer {access_token}')
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
data = {'category': 'inappropriate_content', 'message': 'Test report'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
class BaZiReportAPITests(APITestCase):
"""Test BaZi analysis reporting API endpoint"""
def setUp(self):
"""Set up test data"""
# Add admin for report notifications
from tests.test_utils import create_admin_with_report_permissions
self.admin = create_admin_with_report_permissions()
self.user = User.objects.create_user(
phone='13800138000',
email='test@example.com',
first_name='Test',
last_name='User'
)
self.person = Person.objects.create(
name='Test Person',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'bazi_analysis': 'Test BaZi analysis content'},
number_analysis_status='completed',
number_ai_analysis={'number_analysis': 'Test number content'}
)
self.client.force_authenticate(user=self.user)
@patch('api.utils.send_admin_report_notification')
def test_report_bazi_success(self, mock_email):
"""Test successful BaZi analysis reporting"""
mock_email.return_value = True
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
data = {
'category': 'inappropriate_content',
'message': 'This analysis contains inappropriate content'
}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertEqual(response.data['success'], True)
self.assertIn('successfully', response.data['message'])
# Verify database changes
self.person.refresh_from_db()
self.assertTrue(self.person.bazi_analysis_reported)
self.assertEqual(self.person.bazi_report_category, 'inappropriate_content')
self.assertEqual(self.person.bazi_report_message, 'This analysis contains inappropriate content')
self.assertEqual(self.person.bazi_report_status, 'pending')
# Verify email was sent
mock_email.assert_called_once()
def test_report_bazi_missing_category(self):
"""Test BaZi reporting with missing required category"""
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
data = {'message': 'Missing category'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
def test_report_bazi_invalid_category(self):
"""Test BaZi reporting with invalid category"""
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
data = {
'category': 'invalid_category',
'message': 'Invalid category test'
}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
def test_report_bazi_empty_message(self):
"""Test BaZi reporting with empty message (should be allowed)"""
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
data = {'category': 'technical_error', 'message': ''}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.person.refresh_from_db()
self.assertEqual(self.person.bazi_report_message, '')
def test_report_bazi_long_message(self):
"""Test BaZi reporting with very long message"""
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
long_message = 'A' * 1500 # Longer than max_length
data = {
'category': 'other',
'message': long_message
}
response = self.client.post(url, data, format='json')
# Should either succeed with truncation or fail with validation error
self.assertIn(response.status_code, [status.HTTP_201_CREATED, status.HTTP_400_BAD_REQUEST])
def test_report_bazi_not_completed(self):
"""Test reporting BaZi analysis that is not completed"""
self.person.analysis_status = 'pending'
self.person.save()
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
data = {'category': 'inappropriate_content', 'message': 'Test'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertIn('cannot be reported', response.data['error'])
def test_report_bazi_already_reported(self):
"""Test reporting BaZi analysis that is already reported"""
self.person.bazi_analysis_reported = True
self.person.save()
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
data = {'category': 'inappropriate_content', 'message': 'Test'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertIn('cannot be reported', response.data['error'])
def test_report_bazi_nonexistent_person(self):
"""Test reporting nonexistent person"""
url = reverse('api:bazi_report', kwargs={'pk': 99999})
data = {'category': 'inappropriate_content', 'message': 'Test'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertIn('not found', response.data['error'])
def test_report_number_success(self):
"""Test successful Number analysis reporting"""
url = reverse('api:number_report', kwargs={'pk': self.person.id})
data = {
'category': 'inaccurate_analysis',
'message': 'Number analysis is incorrect'
}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
# Verify database changes
self.person.refresh_from_db()
self.assertTrue(self.person.number_analysis_reported)
self.assertEqual(self.person.number_report_category, 'inaccurate_analysis')
self.assertEqual(self.person.number_report_message, 'Number analysis is incorrect')
def test_report_number_no_analysis(self):
"""Test reporting Number analysis when no analysis exists"""
self.person.number_ai_analysis = None
self.person.save()
url = reverse('api:number_report', kwargs={'pk': self.person.id})
data = {'category': 'technical_error', 'message': 'No analysis'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
class LiuYaoReportAPITests(APITestCase):
"""Test LiuYao analysis reporting API endpoint"""
def setUp(self):
"""Set up test data"""
# Add admin for report notifications
from tests.test_utils import create_admin_with_report_permissions
self.admin = create_admin_with_report_permissions()
self.user = User.objects.create_user(
phone='13800138000',
email='test@example.com',
first_name='Test',
last_name='User'
)
self.liuyao_entry = liuyao.objects.create(
question='Test divination question',
user=self.user,
qdate=timezone.now(),
y1='1', y2='0', y3='1', y4='0', y5='1', y6='0',
analysis_status='completed',
ai_analysis={'response': 'Test LiuYao analysis content'}
)
self.client.force_authenticate(user=self.user)
@patch('api.utils.send_admin_report_notification')
def test_report_liuyao_success(self, mock_email):
"""Test successful LiuYao analysis reporting"""
mock_email.return_value = True
url = reverse('api:liuyao_report', kwargs={'pk': self.liuyao_entry.id})
data = {
'category': 'inaccurate_analysis',
'message': 'The hexagram interpretation is wrong'
}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertEqual(response.data['success'], True)
# Verify database changes
self.liuyao_entry.refresh_from_db()
self.assertTrue(self.liuyao_entry.analysis_reported)
self.assertEqual(self.liuyao_entry.report_category, 'inaccurate_analysis')
self.assertEqual(self.liuyao_entry.report_message, 'The hexagram interpretation is wrong')
self.assertEqual(self.liuyao_entry.report_status, 'pending')
# Verify email was sent
mock_email.assert_called_once()
def test_report_liuyao_with_unicode(self):
"""Test LiuYao reporting with Unicode characters"""
url = reverse('api:liuyao_report', kwargs={'pk': self.liuyao_entry.id})
data = {
'category': 'other',
'message': '这个分析包含中文字符和emoji 🔮'
}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.liuyao_entry.refresh_from_db()
self.assertEqual(self.liuyao_entry.report_message, '这个分析包含中文字符和emoji 🔮')
def test_report_liuyao_all_categories(self):
"""Test reporting LiuYao with all valid categories"""
categories = ['inappropriate_content', 'inaccurate_analysis',
'offensive_language', 'technical_error', 'other']
for i, category in enumerate(categories):
# Create new LiuYao entry for each category test
entry = liuyao.objects.create(
question=f'Test question {i}',
user=self.user,
qdate=timezone.now(),
y1='1', y2='0', y3='1', y4='0', y5='1', y6='0',
analysis_status='completed',
ai_analysis={'response': f'Test content {i}'}
)
url = reverse('api:liuyao_report', kwargs={'pk': entry.id})
data = {
'category': category,
'message': f'Test message for {category}'
}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
entry.refresh_from_db()
self.assertEqual(entry.report_category, category)
def test_report_liuyao_guest_user(self):
"""Test reporting LiuYao analysis created by guest user"""
guest_entry = liuyao.objects.create(
question='Guest question',
user=None, # Guest user
qdate=timezone.now(),
y1='1', y2='0', y3='1', y4='0', y5='1', y6='0',
analysis_status='completed',
ai_analysis={'response': 'Guest analysis'}
)
url = reverse('api:liuyao_report', kwargs={'pk': guest_entry.id})
data = {'category': 'technical_error', 'message': 'Guest report'}
response = self.client.post(url, data, format='json')
# Should fail because user doesn't own this entry
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
class ReportAPIEdgeCaseTests(APITestCase):
"""Test edge cases and security scenarios for report APIs"""
def setUp(self):
"""Set up test data"""
# Add admin for report notifications
from tests.test_utils import create_admin_with_report_permissions
self.admin = create_admin_with_report_permissions()
self.user = User.objects.create_user(
phone='13800138000',
email='test@example.com'
)
self.client.force_authenticate(user=self.user)
def test_report_with_malformed_json(self):
"""Test reporting with malformed JSON data"""
person = Person.objects.create(
name='Test Person',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'test': 'data'}
)
url = reverse('api:bazi_report', kwargs={'pk': person.id})
# Send malformed JSON
response = self.client.post(
url,
'{"category": "inappropriate_content", "message": "test"', # Missing closing brace
content_type='application/json'
)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
def test_report_with_sql_injection_attempt(self):
"""Test reporting with SQL injection attempt in message"""
person = Person.objects.create(
name='Test Person',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'test': 'data'}
)
url = reverse('api:bazi_report', kwargs={'pk': person.id})
data = {
'category': 'other',
'message': "'; DROP TABLE bazi_person; --"
}
response = self.client.post(url, data, format='json')
# Should succeed (Django ORM protects against SQL injection)
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
# Verify the malicious content is stored safely
person.refresh_from_db()
self.assertEqual(person.bazi_report_message, "'; DROP TABLE bazi_person; --")
def test_report_with_xss_attempt(self):
"""Test reporting with XSS attempt in message"""
person = Person.objects.create(
name='Test Person',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'test': 'data'}
)
url = reverse('api:bazi_report', kwargs={'pk': person.id})
data = {
'category': 'other',
'message': ''
}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
# Content should be stored as-is (XSS protection happens at display time)
person.refresh_from_db()
self.assertEqual(person.bazi_report_message, '')
def test_report_concurrent_requests(self):
"""Test handling of concurrent report requests"""
person = Person.objects.create(
name='Concurrent Test',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'test': 'data'}
)
url = reverse('api:bazi_report', kwargs={'pk': person.id})
data = {'category': 'inappropriate_content', 'message': 'First report'}
# First request should succeed
response1 = self.client.post(url, data, format='json')
self.assertEqual(response1.status_code, status.HTTP_201_CREATED)
# Second request should fail (already reported)
data['message'] = 'Second report'
response2 = self.client.post(url, data, format='json')
self.assertEqual(response2.status_code, status.HTTP_400_BAD_REQUEST)
def test_report_with_missing_analysis_data(self):
"""Test reporting analysis with missing or corrupt data"""
person = Person.objects.create(
name='Missing Data Test',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={} # Empty analysis data
)
url = reverse('api:bazi_report', kwargs={'pk': person.id})
data = {'category': 'technical_error', 'message': 'Missing data'}
# Should be rejected - API validates that analysis exists and is not empty
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
@patch('api.utils.send_admin_report_notification')
def test_report_email_failure_handling(self, mock_email):
"""Test handling when email notification fails"""
mock_email.return_value = False # Email function returns False on failure
person = Person.objects.create(
name='Email Failure Test',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'test': 'data'}
)
url = reverse('api:bazi_report', kwargs={'pk': person.id})
data = {'category': 'inappropriate_content', 'message': 'Email test'}
# Should still succeed even if email fails
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
# Report should still be saved despite email failure
person.refresh_from_db()
self.assertTrue(person.bazi_analysis_reported)
def test_report_rate_limiting_simulation(self):
"""Test multiple rapid report attempts (simulates rate limiting scenario)"""
# Create multiple analyses to report
persons = []
for i in range(5):
person = Person.objects.create(
name=f'Rate Limit Test {i}',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'test': f'data {i}'}
)
persons.append(person)
# Try to report all of them rapidly
for i, person in enumerate(persons):
url = reverse('api:bazi_report', kwargs={'pk': person.id})
data = {'category': 'other', 'message': f'Rapid report {i}'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
def test_invalid_http_methods(self):
"""Test invalid HTTP methods on report endpoints"""
person = Person.objects.create(
name='Method Test',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'test': 'data'}
)
url = reverse('api:bazi_report', kwargs={'pk': person.id})
# Test GET (should not be allowed)
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
# Test PUT (should not be allowed)
response = self.client.put(url, {'category': 'other'}, format='json')
self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
# Test DELETE (should not be allowed)
response = self.client.delete(url)
self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
class ReportAPISerializerTests(APITestCase):
"""Test serializer validation and edge cases"""
def setUp(self):
"""Set up test data"""
# Add admin for report notifications
from tests.test_utils import create_admin_with_report_permissions
self.admin = create_admin_with_report_permissions()
self.user = User.objects.create_user(
phone='13800138000',
email='test@example.com'
)
self.person = Person.objects.create(
name='Serializer Test',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'test': 'data'}
)
self.client.force_authenticate(user=self.user)
def test_category_validation_boundary_values(self):
"""Test category validation with boundary values"""
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
# Test with exact valid values
valid_categories = [
'inappropriate_content', 'inaccurate_analysis',
'offensive_language', 'technical_error', 'other'
]
for category in valid_categories:
person = Person.objects.create(
name=f'Test {category}',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'test': 'data'}
)
url = reverse('api:bazi_report', kwargs={'pk': person.id})
data = {'category': category, 'message': 'Valid category test'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
def test_message_length_validation(self):
"""Test message length validation boundaries"""
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
# Test with exactly 1000 characters (should be allowed)
message_1000 = 'A' * 1000
data = {'category': 'other', 'message': message_1000}
response = self.client.post(url, data, format='json')
# Should succeed or fail gracefully based on model validation
self.assertIn(response.status_code, [status.HTTP_201_CREATED, status.HTTP_400_BAD_REQUEST])
# Test with 1001 characters (might be rejected)
person2 = Person.objects.create(
name='Test 1001',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'test': 'data'}
)
url2 = reverse('api:bazi_report', kwargs={'pk': person2.id})
message_1001 = 'A' * 1001
data = {'category': 'other', 'message': message_1001}
response = self.client.post(url2, data, format='json')
# Should handle gracefully (either truncate or reject)
self.assertIn(response.status_code, [status.HTTP_201_CREATED, status.HTTP_400_BAD_REQUEST])
def test_optional_message_field(self):
"""Test that message field is truly optional"""
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
# Test without message field entirely
data = {'category': 'technical_error'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.person.refresh_from_db()
self.assertEqual(self.person.bazi_report_message, '')
def test_category_case_sensitivity(self):
"""Test category validation case sensitivity"""
url = reverse('api:bazi_report', kwargs={'pk': self.person.id})
# Test with uppercase (should fail)
data = {'category': 'INAPPROPRIATE_CONTENT', 'message': 'Case test'}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
# Test with mixed case (should fail)
person2 = Person.objects.create(
name='Case Test 2',
birth_date=date(1990, 1, 1),
created_by=self.user,
analysis_status='completed',
ai_analysis={'test': 'data'}
)
url2 = reverse('api:bazi_report', kwargs={'pk': person2.id})
data = {'category': 'Inappropriate_Content', 'message': 'Mixed case test'}
response = self.client.post(url2, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)