From c26e14be6bc8a05c872dae51bbb4af1228696920 Mon Sep 17 00:00:00 2001
From: Alexis <alexis.bensoussan@intuitem.com>
Date: Mon, 26 Feb 2024 18:32:50 +0100
Subject: [PATCH] Fix error code 400 instead of 403 in api tests

---
 backend/app_tests/api/test_utils.py | 29 +++++++++++++++--------------
 backend/core/serializers.py         |  3 ++-
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/backend/app_tests/api/test_utils.py b/backend/app_tests/api/test_utils.py
index e81471256..045da3711 100644
--- a/backend/app_tests/api/test_utils.py
+++ b/backend/app_tests/api/test_utils.py
@@ -509,21 +509,22 @@ def create_object(
                     response.status_code == user_perm_expected_status
                 ), f"{verbose_name} can be created without permission" if response.status_code == status.HTTP_201_CREATED else f"Creating {verbose_name.lower()} should give a status {user_perm_expected_status}"
             
-            for key, value in build_params.items():
-                if key == "attachment":
-                    # Asserts that the value file name is present in the JSON response
-                    assert (
-                        value.name.split("/")[-1].split(".")[0] in response.json()[key]
-                    ), f"{verbose_name} {key.replace('_', ' ')} returned by the API after object creation don't match the provided {key.replace('_', ' ')}"
-                else:
-                    assert (
-                        response.json()[key] == value
-                    ), f"{verbose_name} {key.replace('_', ' ')} returned by the API after object creation don't match the provided {key.replace('_', ' ')}"
+            if not (fails or user_perm_fails):
+                for key, value in build_params.items():
+                    if key == "attachment":
+                        # Asserts that the value file name is present in the JSON response
+                        assert (
+                            value.name.split("/")[-1].split(".")[0] in response.json()[key]
+                        ), f"{verbose_name} {key.replace('_', ' ')} returned by the API after object creation don't match the provided {key.replace('_', ' ')}"
+                    else:
+                        assert (
+                            response.json()[key] == value
+                        ), f"{verbose_name} {key.replace('_', ' ')} returned by the API after object creation don't match the provided {key.replace('_', ' ')}"
 
-            # Checks that the object was created in the database
-            assert (
-                object.objects.filter(id=response.json()["id"]).exists()
-            ), f"{verbose_name} created with the API are not saved in the database"
+                # Checks that the object was created in the database
+                assert (
+                    object.objects.filter(id=response.json()["id"]).exists()
+                ), f"{verbose_name} created with the API are not saved in the database"
 
             # Uses the API endpoint to assert that the created object is accessible
             response = authenticated_client.get(url)
diff --git a/backend/core/serializers.py b/backend/core/serializers.py
index 1c8c0e377..49a920cf6 100644
--- a/backend/core/serializers.py
+++ b/backend/core/serializers.py
@@ -5,6 +5,7 @@
 from iam.models import *
 
 from rest_framework import serializers
+from rest_framework.exceptions import PermissionDenied
 from django.contrib.auth import get_user_model
 from django.db import models
 from core.serializer_fields import FieldsRelatedField
@@ -36,7 +37,7 @@ def create(self, validated_data: Any):
             folder=folder,
         )
         if not can_create_in_folder:
-            raise serializers.ValidationError(
+            raise PermissionDenied(
                 {
                     "folder": "You do not have permission to create objects in this folder"
                 }