def setUp(self): super(BasicUsersTestCase, self).setUp() self.user = User(loginname=USERNAME, emailaddress='*****@*****.**', is_admin=False) self.user.set_password(USERPASS) self.user.save() self.admin = User(loginname=ADMINNAME, emailaddress='*****@*****.**', is_admin=True) self.admin.set_password(ADMINPASS) self.admin.save()
def posts(): ''' (HTML) list of ALL posts. (also deletes broken posts, if error) ''' try: user = user_session.get_user() except user_session.NotLoggedIn: user = User() try: if user.is_admin: return render_template('posts.html', posts=Post.select(), user=user) else: return render_template('posts.html', posts=Post.select() \ .where(Post.status == 0), user=user) except Feed.DoesNotExist: # Ah. Database inconsistancy! Not good, lah. ps = Post.raw('select post.id from post' ' left join feed on feed.id = post.feed_id' ' where feed.id is null;') for p in ps: p.delete_instance() flash('Cleaned up old posts...') if user.is_admin: return render_template('posts.html', posts=Post.select(), user=user) else: return render_template('posts.html', posts=Post.select()\ .where(Post.status == 0), user=user)
def test_one_user_group_write_and_publish(self): f = Feed(name='123') f.save() u = User(passwordhash='123') u.save() g = Group(name='usergroup') g.save() g.set_users([u.id]) self.assertEqual(f.authors(), []) self.assertEqual(f.publishers(), []) self.assertEqual(f.author_groups(), []) self.assertEqual(f.publisher_groups(), []) self.assertFalse(f.user_can_write(u)) self.assertFalse(f.user_can_publish(u)) f.grant('Write', group=g) f.grant('Publish', group=g) f = Feed.get(id=f.id) self.assertEqual(f.authors(), []) self.assertEqual(f.publishers(), []) self.assertEqual(f.author_groups(), [g]) self.assertEqual(f.publisher_groups(), [g]) self.assertTrue(f.user_can_write(u)) self.assertTrue(f.user_can_publish(u))
def test_one_user_group_read_only(self): f = Feed(name='123') f.save() u = User(passwordhash='123') u.save() g = Group(name='usergroup') g.set_users([u.id]) g.save() self.assertEqual(f.authors(), []) self.assertEqual(f.publishers(), []) self.assertEqual(f.author_groups(), []) self.assertEqual(f.publisher_groups(), []) self.assertFalse(f.user_can_write(u)) self.assertFalse(f.user_can_publish(u)) f.grant('Read', group=g) self.assertEqual(f.authors(), []) self.assertEqual(f.publishers(), []) self.assertEqual(f.author_groups(), []) self.assertEqual(f.publisher_groups(), []) self.assertFalse(f.user_can_write(u)) self.assertFalse(f.user_can_publish(u))
def test_cannot_change_other_users_password_even_with_their_currpass(self): user2 = User(loginname="user2", emailaddress='*****@*****.**', is_admin=False) user2.set_password("userpass2") user2.save() self.login(USERNAME, USERPASS) with self.ctx(): resp = self.client.post(url_for('user_edit', userid=user2.id), data={ "action": "update", "newpass": "******", "conf_newpass": "******", "currpass": "******" }, follow_redirects=True) self.assertIn("Permission Denied", resp.data) self.assertEquals(resp.status_code, 403) usernow = User.get(id=user2.id) self.assertEqual(usernow.passwordhash, user2.passwordhash)
def setUp(self): super(DeletingUsers, self).setUp() self.user2 = User(loginname='user2', emailaddress='*****@*****.**', is_admin=False) self.user2.set_password(USERPASS) self.user2.save()
def test_user_with_no_perms(self): u = User(passwordhash='123') f = Feed() u.save() f.save() self.assertEqual(u.writeable_feeds(), [])
def test_user_with_one_feed(self): u = User(passwordhash='123') f = Feed() u.save() f.save() f.grant('Write', user=u) self.assertEqual(u.writeable_feeds(), [f])
def feedpage(feedid): ''' the back end settings for one feed. ''' try: feed = Feed.get(id=feedid) user = user_session.get_user() except user_session.NotLoggedIn: user = User() except: flash('invalid feed id! (' + str(feedid) + ')') return redirect(url_for('feeds')) if request.method == 'POST': if not user_session.logged_in(): flash("You're not logged in!") return redirect(url_for('feeds')) if not user.is_admin: flash('Sorry! Only Admins can change these details.') return redirect(request.referrer) action = request.form.get('action', 'none') if action == 'edit': feed.name = request.form.get('title', feed.name).strip() inlist = request.form.getlist feed.post_types = ', '.join(inlist('post_types')) feed.set_authors(by_id(User, inlist('authors'))) feed.set_publishers(by_id(User, inlist('publishers'))) feed.set_author_groups(by_id(Group, inlist('author_groups'))) feed.set_publisher_groups(by_id(Group, inlist('publisher_groups'))) feed.save() flash('Saved') elif action == 'delete': for post in feed.posts: post_type_module = post_types.load(post.type) delete_post_and_run_callback(post, post_type_module) feed.delete_instance(True, True) # cascade/recursive delete. flash('Deleted') return redirect(url_for('feeds')) return render_template('feed.html', feed=feed, user=user, all_posttypes=post_types.types(), allusers=User.select(), allgroups=Group.select() )
def index(): ''' main front page / dashboard / index. ''' try: user = user_session.get_user() except user_session.NotLoggedIn: user = User() if not user: user = User() publishable_feeds = user.publishable_feeds() posts_to_publish = Post.select()\ .where((Post.published == False) & (Post.feed << publishable_feeds)) screens = Screen.select() aliases = config_var('screens.aliases', []) for alias in aliases: for screen in screens: if screen.urlname == alias['screen_name']: alias['screen'] = screen break else: alias['screen'] = None return render_template('dashboard.html', aliases=aliases, feeds=Feed.select(), publishable_feeds=publishable_feeds, posts=Post.select().where(Post.author == user)\ .order_by(Post.write_date.desc())\ .limit(15), posts_to_publish=posts_to_publish, screens=screens, user=user)
def test_normal_user_cannot_set_other_to_admin(self): user2 = User(loginname="user2", emailaddress='*****@*****.**', is_admin=False) user2.set_password("userpass2") user2.save() self.login(USERNAME, USERPASS) resp = self.post_update_request(userid=user2.id, is_admin=True) self.assertEqual(resp.status_code, 403) usernow = User.get(id=user2.id) self.assertEqual(usernow.is_admin, False)
def test_user_with_one_feed_via_group(self): u = User(passwordhash='123') g = Group(name='group_with_a_name') f = Feed() u.save() f.save() g.save() g.set_users([u.id]) f.grant('Write', group=g) self.assertEqual(u.writeable_feeds(), [f])
def test_one_user_publish(self): f = Feed(name='123') f.save() u = User(passwordhash='123') u.save() f.grant('Publish', user=u) self.assertEqual(f.authors(), []) self.assertEqual(f.publishers(), [u]) self.assertEqual(f.author_groups(), []) self.assertEqual(f.publisher_groups(), []) self.assertFalse(f.user_can_write(u)) self.assertTrue(f.user_can_publish(u))
def test_cannot_have_matching_usernames(self): user2 = User(loginname='user2', emailaddress='*****@*****.**', is_admin=False) user2.set_password(USERPASS) user2.save() # if this get works, then the user exists: usernow = User.get(loginname="user2") self.assertEqual(user2.id, usernow.id) self.login(ADMINNAME, ADMINPASS) resp = self.post_create_request(currpass=ADMINPASS, newpass='******', conf_newpass='******') self.assertIn("Username already exists", resp.data) # and just make sure we didn't delete them, or set their password... usernew = User.get(loginname="user2") self.assertEqual(usernow.passwordhash, usernew.passwordhash)
def feeds(): ''' the back end list of feeds. ''' if request.method == 'POST': action = request.form.get('action', 'create') if action == 'create': if not request.form.get('title', '').strip(): flash("I'm not making you an un-named feed!") return redirect(url_for('feeds')) Feed(name=request.form.get('title', 'blank').strip()).save() try: user = user_session.get_user() except user_session.NotLoggedIn: user = User() return render_template('feeds.html', feeds=Feed.select(), user=user, external_sources=ExternalSource.select(), source_types=external_source_types.types())
def user_edit(userid=-1): ''' edit one user. Admins can edit any user, but other users can only edit themselves. if userid is -1, create a new user. ''' try: current_user = user_session.get_user() except user_session.NotLoggedIn as e: flash("Sorry, you're not logged in!") return permission_denied("You're not logged in!") userid = int(userid) if userid != -1: try: user = User.get(id=userid) except User.DoesNotExist: return not_found(title="User doesn't exist", message="Sorry, that user does not exist!") else: if not current_user.is_admin: flash('Sorry! Only admins can create new users!') return permission_denied("Admins only!") try: user = User.get(loginname=request.form.get('loginname', '')) return permission_denied("Username already exists!") except peewee.DoesNotExist: pass user = User() #pylint: disable=no-value-for-parameter if request.method == 'POST': if current_user != user and not current_user.is_admin: return permission_denied("Sorry, you may not edit this user.") update_user(user, request.form, current_user) # save: try: user.save() if userid == -1: flash('New user created.') return redirect(url_for('user_edit', userid=user.id)) else: flash('Saved') except peewee.IntegrityError as err: flash('Cannot Save:' + str(err)) elif request.method == 'DELETE': if not current_user.is_admin: return 'Sorry, only admins can delete users', 403 if user.id == current_user.id: return 'Sorry! You cannot delete yourself!', 403 user.delete_instance(recursive=True) return 'User: %s deleted. (And all their posts)' % user.displayname users_posts = Post.select().where(Post.author == user) \ .order_by(Post.write_date.desc()) \ .limit(10) return render_template('user.html', allgroups=Group.select(), posts=users_posts, user=user)