@Test
 public void deleteEmployeeNotAllowed() throws Exception {
   TravelExpenseReport travelExpenseReport = dataOnDemand.getRandomObject();
   assertThat(
       removeUrl(
           supervisorSession(),
           "/travelExpenseReports/" + travelExpenseReport.getId() + "/employee"),
       isForbidden());
 }
 @Test
 public void travelExpensesAllowedForSelf() throws Exception {
   TravelExpenseReport travelExpenseReport = dataOnDemand.getRandomObject();
   assertThat(
       oneUrl(
           employeeSession(travelExpenseReport.getEmployee().getId()),
           "/travelExpenseReports/" + travelExpenseReport.getId() + "/expenses"),
       isAccessible());
 }
 @Test
 public void deleteForbiddenForOwnerIfSubmitted() throws Exception {
   TravelExpenseReport travelExpenseReport = dataOnDemand.getRandomObject();
   travelExpenseReport.setStatus(TravelExpenseReportStatus.SUBMITTED);
   repository.save(travelExpenseReport);
   assertThat(
       removeUrl(
           employeeSession(travelExpenseReport.getEmployee().getId()),
           "/travelExpenseReports/" + travelExpenseReport.getId()),
       isForbidden());
 }
 @Test
 public void deleteForbiddenForOtherEvenIfPending() throws Exception {
   TravelExpenseReport travelExpenseReport = dataOnDemand.getRandomObject();
   travelExpenseReport.setStatus(TravelExpenseReportStatus.PENDING);
   repository.save(travelExpenseReport);
   assertThat(
       removeUrl(
           employeeSession(travelExpenseReport.getEmployee().getId() + 1),
           "/travelExpenseReports/" + travelExpenseReport.getId()),
       isForbidden());
 }
  @Override
  protected String getJsonRepresentation(TravelExpenseReport travelExpenseReport) {
    StringWriter writer = new StringWriter();
    JsonGenerator jg = jsonGeneratorFactory.createGenerator(writer);
    SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss");
    jg.writeStartObject()
        .write("status", travelExpenseReport.getStatus().toString())
        .write("employee", "/employees/" + travelExpenseReport.getEmployee().getId())
        .write("debitor", "/companies/" + travelExpenseReport.getDebitor().getId());

    if (travelExpenseReport.getSubmissionDate() != null) {
      jg.write("submissionDate", sdf.format(travelExpenseReport.getSubmissionDate()));
    }
    if (travelExpenseReport.getProject() != null) {
      jg.write("project", "/projects/" + travelExpenseReport.getProject().getId());
    }
    if (travelExpenseReport.getId() != null) {
      jg.write("id", travelExpenseReport.getId());
    }
    jg.writeEnd().close();
    return writer.toString();
  }
  @Test
  public void approveNotAllowedForOwningSupervisor() throws Exception {
    TravelExpenseReport travelExpenseReport = dataOnDemand.getRandomObject();
    travelExpenseReport.setStatus(TravelExpenseReportStatus.SUBMITTED);
    repository.save(travelExpenseReport);
    mockMvc
        .perform(
            put("/travelExpenseReports/" + travelExpenseReport.getId() + "/approve")
                .session(supervisorSession(travelExpenseReport.getEmployee().getId())))
        .andExpect(status().isForbidden());

    SecurityContextHolder.getContext().setAuthentication(AuthorityMocks.adminAuthentication());
    TravelExpenseReport one = repository.findOne(travelExpenseReport.getId());
    assertThat(one.getStatus(), is(TravelExpenseReportStatus.SUBMITTED));
  }