def test_cannot_change_other_users_password_even_with_their_currpass(self): user2 = User(loginname="user2", emailaddress='*****@*****.**', is_admin=False) user2.set_password("userpass2") user2.save() self.login(USERNAME, USERPASS) with self.ctx(): resp = self.client.post(url_for('user_edit', userid=user2.id), data={ "action": "update", "newpass": "******", "conf_newpass": "******", "currpass": "******" }, follow_redirects=True) self.assertIn("Permission Denied", resp.data) self.assertEquals(resp.status_code, 403) usernow = User.get(id=user2.id) self.assertEqual(usernow.passwordhash, user2.passwordhash)
def test_normal_user_cannot_set_other_to_admin(self): user2 = User(loginname="user2", emailaddress='*****@*****.**', is_admin=False) user2.set_password("userpass2") user2.save() self.login(USERNAME, USERPASS) resp = self.post_update_request(userid=user2.id, is_admin=True) self.assertEqual(resp.status_code, 403) usernow = User.get(id=user2.id) self.assertEqual(usernow.is_admin, False)
def test_normal_user_cannot_set_other_to_admin(self): user2 = User(loginname="user2", emailaddress='*****@*****.**', is_admin=False) user2.set_password("userpass2") user2.save() self.login(USERNAME, USERPASS) resp = self.post_update_request(userid=user2.id, is_admin=True) self.assertEqual(resp.status_code, 403) usernow = User.get(id=user2.id) self.assertEqual(usernow.is_admin, False)
class BasicUsersTestCase(StreetSignTestCase): def setUp(self): super(BasicUsersTestCase, self).setUp() self.user = User(loginname=USERNAME, emailaddress='*****@*****.**', is_admin=False) self.user.set_password(USERPASS) self.user.save() self.admin = User(loginname=ADMINNAME, emailaddress='*****@*****.**', is_admin=True) self.admin.set_password(ADMINPASS) self.admin.save()
class BasicUsersTestCase(StreetSignTestCase): def setUp(self): super(BasicUsersTestCase, self).setUp() self.user = User(loginname=USERNAME, emailaddress='*****@*****.**', is_admin=False) self.user.set_password(USERPASS) self.user.save() self.admin = User(loginname=ADMINNAME, emailaddress='*****@*****.**', is_admin=True) self.admin.set_password(ADMINPASS) self.admin.save()
def test_cannot_have_matching_usernames(self): user2 = User(loginname='user2', emailaddress='*****@*****.**', is_admin=False) user2.set_password(USERPASS) user2.save() # if this get works, then the user exists: usernow = User.get(loginname="user2") self.assertEqual(user2.id, usernow.id) self.login(ADMINNAME, ADMINPASS) resp = self.post_create_request(currpass=ADMINPASS, newpass='******', conf_newpass='******') self.assertIn("Username already exists", resp.data) # and just make sure we didn't delete them, or set their password... usernew = User.get(loginname="user2") self.assertEqual(usernow.passwordhash, usernew.passwordhash)
def test_cannot_have_matching_usernames(self): user2 = User(loginname='user2', emailaddress='*****@*****.**', is_admin=False) user2.set_password(USERPASS) user2.save() # if this get works, then the user exists: usernow = User.get(loginname="user2") self.assertEqual(user2.id, usernow.id) self.login(ADMINNAME, ADMINPASS) resp = self.post_create_request(currpass=ADMINPASS, newpass='******', conf_newpass='******') self.assertIn("Username already exists", resp.data) # and just make sure we didn't delete them, or set their password... usernew = User.get(loginname="user2") self.assertEqual(usernow.passwordhash, usernew.passwordhash)
def test_cannot_change_other_users_password_even_with_their_currpass(self): user2 = User(loginname="user2", emailaddress='*****@*****.**', is_admin=False) user2.set_password("userpass2") user2.save() self.login(USERNAME, USERPASS) with self.ctx(): resp = self.client.post(url_for('user_edit', userid=user2.id), data={"action":"update", "newpass": "******", "conf_newpass": "******", "currpass": "******"}, follow_redirects=True) self.assertIn("Permission Denied", resp.data) self.assertEquals(resp.status_code, 403) usernow = User.get(id=user2.id) self.assertEqual(usernow.passwordhash, user2.passwordhash)
class DeletingUsers(BasicUsersTestCase): ''' Only admin can delete users, and not themselves. ''' def setUp(self): super(DeletingUsers, self).setUp() self.user2 = User(loginname='user2', emailaddress='*****@*****.**', is_admin=False) self.user2.set_password(USERPASS) self.user2.save() def post_delete_request(self, userid=False, **kwargs): data = {} data.update(kwargs) if userid == False: userid = self.user2.id with self.ctx(): return self.client.delete(url_for('user_edit', userid=userid), data=data, follow_redirects=True) def test_logged_out_cannot_delete_user(self): resp = self.post_delete_request() self.assertEqual(resp.status_code, 403) User.get(id=self.user2.id) def test_normal_user_cannot_delete_user(self): self.login(USERNAME, USERPASS) resp = self.post_delete_request() self.assertEqual(resp.status_code, 403) User.get(id=self.user2.id) def test_normal_user_cannot_delete_self(self): self.login(USERNAME, USERPASS) resp = self.post_delete_request(userid=self.user.id) self.assertEqual(resp.status_code, 403) User.get(id=self.user.id) def test_normal_user_cannot_delete_admin(self): self.login(USERNAME, USERPASS) resp = self.post_delete_request(userid=self.admin.id) self.assertEqual(resp.status_code, 403) User.get(id=self.admin.id) def test_admin_can_delete_user(self): self.login(ADMINNAME, ADMINPASS) resp = self.post_delete_request() self.assertEqual(resp.status_code, 200) with self.assertRaises(User.DoesNotExist): User.get(id=self.user2.id) def test_admin_cannot_delete_self(self): self.login(ADMINNAME, ADMINPASS) resp = self.post_delete_request(userid=self.admin.id) self.assertIn("You cannot delete yourself", resp.data) User.get(id=self.admin.id) def test_admin_cannot_delete_nonexistant_user(self): self.login(ADMINNAME, ADMINPASS) resp = self.post_delete_request(userid=200) self.assertEqual(resp.status_code, 404) def test_normal_user_cannot_delete_nonexistant_user(self): self.login(USERNAME, USERPASS) resp = self.post_delete_request(userid=200) self.assertEqual(resp.status_code, 404) def when_user_deleted_posts_also_deleted(self): self.login(ADMINNAME, ADMINPASS) # TODO pass
class DeletingUsers(BasicUsersTestCase): ''' Only admin can delete users, and not themselves. ''' def setUp(self): super(DeletingUsers, self).setUp() self.user2 = User(loginname='user2', emailaddress='*****@*****.**', is_admin=False) self.user2.set_password(USERPASS) self.user2.save() def post_delete_request(self, userid=False, **kwargs): data = {} data.update(kwargs) if userid == False: userid = self.user2.id with self.ctx(): return self.client.delete(url_for('user_edit', userid=userid), data=data, follow_redirects=True) def test_logged_out_cannot_delete_user(self): resp = self.post_delete_request() self.assertEqual(resp.status_code, 403) User.get(id=self.user2.id) def test_normal_user_cannot_delete_user(self): self.login(USERNAME, USERPASS) resp = self.post_delete_request() self.assertEqual(resp.status_code, 403) User.get(id=self.user2.id) def test_normal_user_cannot_delete_self(self): self.login(USERNAME, USERPASS) resp = self.post_delete_request(userid=self.user.id) self.assertEqual(resp.status_code, 403) User.get(id=self.user.id) def test_normal_user_cannot_delete_admin(self): self.login(USERNAME, USERPASS) resp = self.post_delete_request(userid=self.admin.id) self.assertEqual(resp.status_code, 403) User.get(id=self.admin.id) def test_admin_can_delete_user(self): self.login(ADMINNAME, ADMINPASS) resp = self.post_delete_request() self.assertEqual(resp.status_code, 200) with self.assertRaises(User.DoesNotExist): User.get(id=self.user2.id) def test_admin_cannot_delete_self(self): self.login(ADMINNAME, ADMINPASS) resp = self.post_delete_request(userid=self.admin.id) self.assertIn("You cannot delete yourself", resp.data) User.get(id=self.admin.id) def test_admin_cannot_delete_nonexistant_user(self): self.login(ADMINNAME, ADMINPASS) resp = self.post_delete_request(userid=200) self.assertEqual(resp.status_code, 404) def test_normal_user_cannot_delete_nonexistant_user(self): self.login(USERNAME, USERPASS) resp = self.post_delete_request(userid=200) self.assertEqual(resp.status_code, 404) def when_user_deleted_posts_also_deleted(self): self.login(ADMINNAME, ADMINPASS) # TODO pass