def setUp(self):
super(BasicUsersTestCase, self).setUp()
self.user = User(loginname=USERNAME,
emailaddress='*****@*****.**',
is_admin=False)
self.user.set_password(USERPASS)
self.user.save()
self.admin = User(loginname=ADMINNAME,
emailaddress='*****@*****.**',
is_admin=True)
self.admin.set_password(ADMINPASS)
self.admin.save()
def posts():
''' (HTML) list of ALL posts. (also deletes broken posts, if error) '''
try:
user = user_session.get_user()
except user_session.NotLoggedIn:
user = User()
try:
if user.is_admin:
return render_template('posts.html',
posts=Post.select(),
user=user)
else:
return render_template('posts.html',
posts=Post.select() \
.where(Post.status == 0), user=user)
except Feed.DoesNotExist:
# Ah. Database inconsistancy! Not good, lah.
ps = Post.raw('select post.id from post'
' left join feed on feed.id = post.feed_id'
' where feed.id is null;')
for p in ps:
p.delete_instance()
flash('Cleaned up old posts...')
if user.is_admin:
return render_template('posts.html', posts=Post.select(), user=user)
else:
return render_template('posts.html',
posts=Post.select()\
.where(Post.status == 0), user=user)
def test_one_user_group_write_and_publish(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
g = Group(name='usergroup')
g.save()
g.set_users([u.id])
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
f.grant('Write', group=g)
f.grant('Publish', group=g)
f = Feed.get(id=f.id)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [g])
self.assertEqual(f.publisher_groups(), [g])
self.assertTrue(f.user_can_write(u))
self.assertTrue(f.user_can_publish(u))
def test_one_user_group_read_only(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
g = Group(name='usergroup')
g.set_users([u.id])
g.save()
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
f.grant('Read', group=g)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
def test_cannot_change_other_users_password_even_with_their_currpass(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=user2.id),
data={
"action": "update",
"newpass": "******",
"conf_newpass": "******",
"currpass": "******"
},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
self.assertEquals(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.passwordhash, user2.passwordhash)
def setUp(self):
super(DeletingUsers, self).setUp()
self.user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
self.user2.set_password(USERPASS)
self.user2.save()
def test_user_with_no_perms(self):
u = User(passwordhash='123')
f = Feed()
u.save()
f.save()
self.assertEqual(u.writeable_feeds(), [])
def test_user_with_one_feed(self):
u = User(passwordhash='123')
f = Feed()
u.save()
f.save()
f.grant('Write', user=u)
self.assertEqual(u.writeable_feeds(), [f])
def feedpage(feedid):
''' the back end settings for one feed. '''
try:
feed = Feed.get(id=feedid)
user = user_session.get_user()
except user_session.NotLoggedIn:
user = User()
except:
flash('invalid feed id! (' + str(feedid) + ')')
return redirect(url_for('feeds'))
if request.method == 'POST':
if not user_session.logged_in():
flash("You're not logged in!")
return redirect(url_for('feeds'))
if not user.is_admin:
flash('Sorry! Only Admins can change these details.')
return redirect(request.referrer)
action = request.form.get('action', 'none')
if action == 'edit':
feed.name = request.form.get('title', feed.name).strip()
inlist = request.form.getlist
feed.post_types = ', '.join(inlist('post_types'))
feed.set_authors(by_id(User, inlist('authors')))
feed.set_publishers(by_id(User, inlist('publishers')))
feed.set_author_groups(by_id(Group, inlist('author_groups')))
feed.set_publisher_groups(by_id(Group, inlist('publisher_groups')))
feed.save()
flash('Saved')
elif action == 'delete':
for post in feed.posts:
post_type_module = post_types.load(post.type)
delete_post_and_run_callback(post, post_type_module)
feed.delete_instance(True, True) # cascade/recursive delete.
flash('Deleted')
return redirect(url_for('feeds'))
return render_template('feed.html',
feed=feed,
user=user,
all_posttypes=post_types.types(),
allusers=User.select(),
allgroups=Group.select()
)
def index():
''' main front page / dashboard / index. '''
try:
user = user_session.get_user()
except user_session.NotLoggedIn:
user = User()
if not user:
user = User()
publishable_feeds = user.publishable_feeds()
posts_to_publish = Post.select()\
.where((Post.published == False) &
(Post.feed << publishable_feeds))
screens = Screen.select()
aliases = config_var('screens.aliases', [])
for alias in aliases:
for screen in screens:
if screen.urlname == alias['screen_name']:
alias['screen'] = screen
break
else:
alias['screen'] = None
return render_template('dashboard.html',
aliases=aliases,
feeds=Feed.select(),
publishable_feeds=publishable_feeds,
posts=Post.select().where(Post.author == user)\
.order_by(Post.write_date.desc())\
.limit(15),
posts_to_publish=posts_to_publish,
screens=screens,
user=user)
def test_normal_user_cannot_set_other_to_admin(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=user2.id, is_admin=True)
self.assertEqual(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.is_admin, False)
def test_user_with_one_feed_via_group(self):
u = User(passwordhash='123')
g = Group(name='group_with_a_name')
f = Feed()
u.save()
f.save()
g.save()
g.set_users([u.id])
f.grant('Write', group=g)
self.assertEqual(u.writeable_feeds(), [f])
def test_one_user_publish(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
f.grant('Publish', user=u)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [u])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertTrue(f.user_can_publish(u))
def test_cannot_have_matching_usernames(self):
user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password(USERPASS)
user2.save()
# if this get works, then the user exists:
usernow = User.get(loginname="user2")
self.assertEqual(user2.id, usernow.id)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='******',
conf_newpass='******')
self.assertIn("Username already exists", resp.data)
# and just make sure we didn't delete them, or set their password...
usernew = User.get(loginname="user2")
self.assertEqual(usernow.passwordhash, usernew.passwordhash)
def feeds():
''' the back end list of feeds. '''
if request.method == 'POST':
action = request.form.get('action', 'create')
if action == 'create':
if not request.form.get('title', '').strip():
flash("I'm not making you an un-named feed!")
return redirect(url_for('feeds'))
Feed(name=request.form.get('title', 'blank').strip()).save()
try:
user = user_session.get_user()
except user_session.NotLoggedIn:
user = User()
return render_template('feeds.html',
feeds=Feed.select(),
user=user,
external_sources=ExternalSource.select(),
source_types=external_source_types.types())
def user_edit(userid=-1):
''' edit one user. Admins can edit any user, but other users
can only edit themselves. if userid is -1, create a new user. '''
try:
current_user = user_session.get_user()
except user_session.NotLoggedIn as e:
flash("Sorry, you're not logged in!")
return permission_denied("You're not logged in!")
userid = int(userid)
if userid != -1:
try:
user = User.get(id=userid)
except User.DoesNotExist:
return not_found(title="User doesn't exist",
message="Sorry, that user does not exist!")
else:
if not current_user.is_admin:
flash('Sorry! Only admins can create new users!')
return permission_denied("Admins only!")
try:
user = User.get(loginname=request.form.get('loginname', ''))
return permission_denied("Username already exists!")
except peewee.DoesNotExist:
pass
user = User() #pylint: disable=no-value-for-parameter
if request.method == 'POST':
if current_user != user and not current_user.is_admin:
return permission_denied("Sorry, you may not edit this user.")
update_user(user, request.form, current_user)
# save:
try:
user.save()
if userid == -1:
flash('New user created.')
return redirect(url_for('user_edit', userid=user.id))
else:
flash('Saved')
except peewee.IntegrityError as err:
flash('Cannot Save:' + str(err))
elif request.method == 'DELETE':
if not current_user.is_admin:
return 'Sorry, only admins can delete users', 403
if user.id == current_user.id:
return 'Sorry! You cannot delete yourself!', 403
user.delete_instance(recursive=True)
return 'User: %s deleted. (And all their posts)' % user.displayname
users_posts = Post.select().where(Post.author == user) \
.order_by(Post.write_date.desc()) \
.limit(10)
return render_template('user.html',
allgroups=Group.select(),
posts=users_posts,
user=user)
