def test_standard_user_cannot_change_their_own_role(self):
from controllers.user import do_create
to_edit_usr = User.query.filter_by(UserID=self.std_user.UserID).first()
usr = to_edit_usr.to_hash()
usr['RoleID'] = self.admin.RoleID
can_update = do_create(usr, self.std_user)
self.assertEquals(False, can_update, 'We expect no one to be able to edit their own role')
def test_super_admin_can_edit_roles(self):
from controllers.user import do_create
to_edit_usr = User.query.filter_by(UserID=self.other_act_std_user.UserID).first()
usr = to_edit_usr.to_hash()
usr['RoleID'] = self.admin.RoleID
running_user = User.query.filter_by(UserID=self.super_admin_usr.UserID).first()
can_update = do_create(usr, running_user)
self.assertNotEquals(True, can_update, 'We expect super admins to be able to edit users roles')
def test_admin_cannot_change_user_to_belong_to_their_account(self):
from controllers.user import do_create
to_edit_usr = User.query.filter_by(UserID=self.other_act_std_user.UserID).first()
usr = to_edit_usr.to_hash()
usr['AccountID'] = self.admin_usr.AccountID
running_user = User.query.filter_by(UserID=self.admin_usr.UserID).first()
can_update = do_create(usr, running_user)
self.assertEquals(False, can_update, 'We expect admins to NOT be able to edit users belonging to a different account')
def test_admin_can_edit_user_role_to_admin(self):
from controllers.user import do_create
to_edit_usr = User.query.filter_by(UserID=self.std_user.UserID).first()
usr = to_edit_usr.to_hash()
usr['RoleID'] = self.admin.RoleID
running_user = User.query.filter_by(UserID=self.admin_usr.UserID).first()
can_update = do_create(usr, running_user)
self.assertNotEquals(False, can_update, 'We expect admins to be able to change a user to be an admin so long as they belong to the same Account')
def test_admin_cannot_edit_user_role_to_super_admin(self):
from controllers.user import do_create
to_edit_usr = User.query.filter_by(UserID=self.std_user.UserID).first()
usr = to_edit_usr.to_hash()
usr['RoleID'] = self.super_admin.RoleID
running_user = User.query.filter_by(UserID=self.admin_usr.UserID).first()
can_update = do_create(usr, running_user)
self.assertEquals(False, can_update, 'We expect admins to not be able to give more permission than admin')
def test_standard_user_cannot_create_other_users(self):
from controllers.user import do_create
to_copy_usr = User.query.filter_by(UserID=self.std_user.UserID).first()
usr = to_copy_usr.to_hash()
del usr['UserID']
usr['username'] = usr['username'] + 'd'
can_update = do_create(usr, to_copy_usr)
self.assertEquals(False, can_update, 'We expect standard users to NOT be able to create a user')
def test_admin_user_can_create_other_users_of_same_account(self):
from controllers.user import do_create
to_copy_usr = User.query.filter_by(UserID=self.admin_usr.UserID).first()
usr = to_copy_usr.to_hash()
del usr['UserID']
usr['username'] = usr['username'] + 'd'
can_update = do_create(usr, to_copy_usr)
created_user = can_update
self.assertNotEquals(False, can_update, 'We expect admin users to be able to create other users of the same type')
self.assertNotEquals(created_user.UserID, None, 'We do not expect anyone to be able to edit your password besides you')
def test_user_can_edit_their_password(self):
from controllers.user import do_create
to_edit_usr = User.query.filter_by(UserID=self.other_act_std_user.UserID).first()
original_pass = to_edit_usr.password
usr = to_edit_usr.to_hash()
usr['password'] = '******'
running_user = User.query.filter_by(UserID=self.other_act_std_user.UserID).first()
can_update = do_create(usr, running_user)
the_updated_usr = can_update
self.assertNotEquals(False, can_update, 'We expect users to be able to change their own passwords')
self.assertNotEquals(the_updated_usr.password, original_pass, 'We do not expect anyone to be able to edit your password besides you')
def test_other_users_cannot_edit_passwords_of_others(self):
from controllers.user import do_create
to_edit_usr = User.query.filter_by(UserID=self.other_act_std_user.UserID).first()
original_pass = to_edit_usr.password
usr = to_edit_usr.to_hash()
usr['password'] = '******'
running_user = User.query.filter_by(UserID=self.super_admin_usr.UserID).first()
can_update = do_create(usr, running_user)
the_updated_usr = can_update
self.assertNotEquals(False, can_update, 'We expect the save to happen still, but with no effect on the password')
self.assertEquals(the_updated_usr.password, original_pass, 'We do not expect anyone to be able to edit your password besides you')