def test_get_totp_image(client, user_info, test_config):
register_user(client, user_info)
assert client.get(url_for("admin.get_totp_image")).status_code == 404
promote_user_to_admin(client, user_info)
rv = client.get(url_for("admin.get_totp_image"))
assert rv.status_code == 200
assert rv.content_type == "image/png"
def test_admin_totp_auth_flow(client, user_info, test_config):
register_user(client, user_info)
assert client.get(url_for("admin.auth")).status_code == 404
promote_user_to_admin(client, user_info)
rv = client.get(url_for("admin.auth"), follow_redirects=True)
assert rv.status_code == 200
assert b"TOTP setup" in rv.data
user = User.get(User.name == user_info["username"])
user_secret = UserMetadata.get((UserMetadata.uid == user.uid)
& (UserMetadata.key == "totp_secret"))
totp = pyotp.TOTP(user_secret.value)
data = {"csrf_token": csrf_token(rv.data), "totp": totp.now()}
rv = client.post(url_for("admin.auth"), data=data, follow_redirects=False)
assert rv.status_code == 302
assert rv.location == url_for("admin.index")
# Try again with bad token
data["totp"] = "1"
rv = client.post(url_for("admin.auth"), data=data, follow_redirects=False)
assert rv.status_code == 200
assert b"Invalid or expired token." in rv.data
# Check if we're actually logged in.
assert client.get(url_for("admin.index")).status_code == 200
# Get QR code after we already set up TOTP
assert client.get(url_for("admin.get_totp_image")).status_code == 403
# Try logging out.
client.post(url_for("admin.logout"), data=data)
assert client.get(url_for("admin.index"),
follow_redirects=False).status_code == 302
def test_admin_can_ban_email_domain(client, user_info):
register_user(client, user_info)
promote_user_to_admin(client, user_info)
rv = client.get(url_for('admin.domains', domain_type='email'))
rv = client.post(url_for('do.ban_domain', domain_type='email'),
data=dict(csrf_token=csrf_token(rv.data),
domain='spam4u.com'),
follow_redirects=True)
reply = json.loads(rv.data.decode('utf-8'))
assert reply['status'] == 'ok'
log_out_current_user(client)
rv = client.get(url_for('auth.register'))
with mail.record_messages() as outbox:
data = dict(csrf_token=csrf_token(rv.data),
username='******',
password='******',
confirm='Safe123#$@lolnot',
email_required='*****@*****.**',
invitecode='',
accept_tos=True,
captcha='xyzzy')
rv = client.post(url_for('auth.register'),
data=data,
follow_redirects=True)
assert len(outbox) == 0
assert b'do not accept emails' in rv.data
assert b'Register' in rv.data
assert b'Log out' not in rv.data
def test_admin_can_ban_email_domain(client, user_info, test_config):
register_user(client, user_info)
promote_user_to_admin(client, user_info)
rv = client.get(url_for("admin.domains", domain_type="email"))
rv = client.post(
url_for("do.ban_domain", domain_type="email"),
data=dict(csrf_token=csrf_token(rv.data), domain="spam4u.com"),
follow_redirects=True,
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
log_out_current_user(client)
rv = client.get(url_for("auth.register"))
with mail.record_messages() as outbox:
data = dict(
csrf_token=csrf_token(rv.data),
username="******",
password="******",
confirm="Safe123#$@lolnot",
email_required="*****@*****.**",
invitecode="",
accept_tos=True,
captcha="xyzzy",
)
rv = client.post(url_for("auth.register"), data=data, follow_redirects=True)
assert len(outbox) == 0
assert b"do not accept emails" in rv.data
assert b"Register" in rv.data
assert b"Log out" not in rv.data
def test_admin_can_ban_and_unban_user(client, user_info, user2_info):
register_user(client, user_info)
register_user(client, user2_info)
promote_user_to_admin(client, user2_info)
username = user_info["username"]
rv = client.get(url_for("user.view", user=username))
client.post(
url_for("do.ban_user", username=username),
data=dict(csrf_token=csrf_token(rv.data)),
follow_redirects=True,
)
# For now, banning makes you unable to log in.
log_out_current_user(client)
log_in_user(client, user_info, expect_success=False)
log_in_user(client, user2_info)
rv = client.get(url_for("user.view", user=username))
client.post(
url_for("do.unban_user", username=username),
data=dict(csrf_token=csrf_token(rv.data)),
follow_redirects=True,
)
log_out_current_user(client)
log_in_user(client, user_info)
def test_post_delete_notification(client, user_info, user2_info, user3_info):
"Notifications are sent for post delete and undelete."
config.update_value("site.sub_creation_min_level", 0)
receiver, admin, mod = user_info, user2_info, user3_info
register_user(client, receiver)
receiver_uid = User.get(User.name == receiver["username"]).uid
log_out_current_user(client)
register_user(client, admin)
promote_user_to_admin(client, admin)
log_out_current_user(client)
register_user(client, mod)
mod_uid = User.get(User.name == mod["username"]).uid
create_sub(client)
log_out_current_user(client)
# Receiver makes a post.
log_in_user(client, receiver)
rv_post = client.get(url_for("subs.submit", ptype="text", sub="test"))
csrf = csrf_token(rv_post.data)
data = {
"csrf_token": csrf,
"title": "the title",
"ptype": "text",
"content": "the content",
}
rv = client.post(
url_for("subs.submit", ptype="text", sub="test"),
data=data,
follow_redirects=False,
)
assert rv.status == "302 FOUND"
soup = BeautifulSoup(rv.data, "html.parser", from_encoding="utf-8")
link = soup.a.get_text()
pid = link.split("/")[-1]
log_out_current_user(client)
# Mod deletes the post.
log_in_user(client, mod)
data = {
"csrf_token": csrf,
"post": pid,
"reason": "serious reason",
"send_to_admin": False,
}
rv = client.post(
url_for("do.delete_post"),
data=data,
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
log_out_current_user(client)
# Admin un-deletes the post.
log_in_user(client, admin)
data = {
"csrf_token": csrf,
"post": pid,
"reason": "frivolous reason",
}
rv = client.post(
url_for("do.undelete_post"),
data=data,
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
log_out_current_user(client)
# Receiver blocks mod.
log_in_user(client, receiver)
data = {
"csrf_token": csrf,
"view_messages": "show",
"view_content": "hide",
}
rv = client.post(url_for("do.edit_ignore", uid=mod_uid),
data=data,
follow_redirects=True)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
# Receiver checks notifications. They should not be ignored,
# because they are mod actions.
assert get_notification_count(receiver_uid)["notifications"] == 2
rv = client.get(url_for("messages.view_notifications"))
assert b" deleted your post" in rv.data
assert b"un-deleted your post" in rv.data
assert b"serious reason" in rv.data
assert b"frivolous reason" in rv.data
# After checking, the notification is marked read.
assert get_notification_count(receiver_uid)["notifications"] == 0
# Receiver unblocks mod.
data = {
"csrf_token": csrf_token(rv.data),
"view_messages": "show",
"view_content": "show",
}
rv = client.post(url_for("do.edit_ignore", uid=mod_uid),
data=data,
follow_redirects=True)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
# Receiver checks notifications again.
rv = client.get(url_for("messages.view_notifications"))
assert b" deleted your post" in rv.data
assert b"un-deleted your post" in rv.data
assert b"serious reason" in rv.data
assert b"frivolous reason" in rv.data
def test_invite_code_required_for_registration(client, user_info, user2_info):
"""If invite codes are required, trying to register without one will fail."""
register_user(client, user_info)
promote_user_to_admin(client, user_info)
# Enable invite codes.
rv = client.get(url_for("admin.invitecodes"))
data = dict(csrf_token=csrf_token(rv.data),
enableinvitecode=True,
minlevel=3,
maxcodes=10)
rv = client.post(url_for("do.use_invite_code"),
data=data,
follow_redirects=True)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
# Create an invite code.
rv = client.get(url_for("admin.invitecodes"))
data = dict(csrf_token=csrf_token(rv.data),
code="abcde",
uses=10,
expires="")
client.post(url_for("admin.invitecodes"), data=data, follow_redirects=True)
log_out_current_user(client)
# Now try to register a new user without an invite code.
rv = client.get(url_for("auth.register"))
data = dict(
csrf_token=csrf_token(rv.data),
username=user2_info["username"],
password=user2_info["password"],
confirm=user2_info["password"],
invitecode="",
email_optional=user2_info["email"],
accept_tos=True,
captcha="xyzzy",
)
rv = client.post(url_for("auth.register"),
data=data,
follow_redirects=True)
assert b"Invalid invite code" in rv.data
# Now try to register a new user with an incorrect invite code.
rv = client.get(url_for("auth.register"))
data = dict(
csrf_token=csrf_token(rv.data),
username=user2_info["username"],
password=user2_info["password"],
confirm=user2_info["password"],
invitecode="xyzzy",
email_optional=user2_info["email"],
accept_tos=True,
captcha="xyzzy",
)
rv = client.post(url_for("auth.register"),
data=data,
follow_redirects=True)
assert b"Invalid invite code" in rv.data
# Now try to register a new user with a valid invite code.
rv = client.get(url_for("auth.register"))
data = dict(
csrf_token=csrf_token(rv.data),
username=user2_info["username"],
password=user2_info["password"],
confirm=user2_info["password"],
invitecode="abcde",
email_optional=user2_info["email"],
accept_tos=True,
captcha="xyzzy",
)
rv = client.post(url_for("auth.register"),
data=data,
follow_redirects=True)
assert b"Log out" in rv.data
def test_invite_code_required_for_registration(client, user_info, user2_info):
"If invite codes are required, trying to register without one will fail."
register_user(client, user_info)
promote_user_to_admin(client, user_info)
# Enable invite codes.
rv = client.get(url_for('admin.invitecodes'))
data = dict(csrf_token=csrf_token(rv.data),
enableinvitecode=True,
minlevel=3,
maxcodes=10)
rv = client.post(url_for('do.use_invite_code'),
data=data,
follow_redirects=True)
reply = json.loads(rv.data.decode('utf-8'))
assert reply['status'] == 'ok'
# Create an invite code.
rv = client.get(url_for('admin.invitecodes'))
data = dict(csrf_token=csrf_token(rv.data),
code="abcde",
uses=10,
expires='')
rv = client.post(url_for('admin.invitecodes'),
data=data,
follow_redirects=True)
log_out_current_user(client)
# Now try to register a new user without an invite code.
rv = client.get(url_for('auth.register'))
data = dict(csrf_token=csrf_token(rv.data),
username=user2_info['username'],
password=user2_info['password'],
confirm=user2_info['password'],
invitecode='',
email_optional=user2_info['email'],
accept_tos=True,
captcha='xyzzy')
rv = client.post(url_for('auth.register'),
data=data,
follow_redirects=True)
assert b'Invalid invite code' in rv.data
# Now try to register a new user with an incorrect invite code.
rv = client.get(url_for('auth.register'))
data = dict(csrf_token=csrf_token(rv.data),
username=user2_info['username'],
password=user2_info['password'],
confirm=user2_info['password'],
invitecode='xyzzy',
email_optional=user2_info['email'],
accept_tos=True,
captcha='xyzzy')
rv = client.post(url_for('auth.register'),
data=data,
follow_redirects=True)
assert b'Invalid invite code' in rv.data
# Now try to register a new user with a valid invite code.
rv = client.get(url_for('auth.register'))
data = dict(csrf_token=csrf_token(rv.data),
username=user2_info['username'],
password=user2_info['password'],
confirm=user2_info['password'],
invitecode='abcde',
email_optional=user2_info['email'],
accept_tos=True,
captcha='xyzzy')
rv = client.post(url_for('auth.register'),
data=data,
follow_redirects=True)
assert b'Log out' in rv.data
def test_mod_comment_delete(client, user_info, user2_info, user3_info):
config.update_value("site.sub_creation_min_level", 0)
user, admin, mod = user_info, user2_info, user3_info
register_user(client, admin)
promote_user_to_admin(client, admin)
log_out_current_user(client)
register_user(client, mod)
create_sub(client)
log_out_current_user(client)
register_user(client, user)
# User makes a post.
rv = client.get(url_for("subs.submit", ptype="text", sub="test"))
csrf = csrf_token(rv.data)
data = {
"csrf_token": csrf,
"title": "the title",
"ptype": "text",
"content": "the content",
}
rv = client.post(
url_for("subs.submit", ptype="text", sub="test"),
data=data,
follow_redirects=False,
)
assert rv.status == "302 FOUND"
soup = BeautifulSoup(rv.data, "html.parser", from_encoding="utf-8")
link = soup.a.get_text()
pid = link.split("/")[-1]
# User adds some comments.
rv = client.get(link, follow_redirects=True)
assert b"the title | test" in rv.data
cids = {}
comments = [
"delete_user",
"delete_admin",
"delete_then_undelete_by_admin",
"delete_mod",
"delete_then_undelete_by_mod",
"delete_undelete_by_mod_then_admin",
]
for comment in comments:
data = {
"csrf_token": csrf,
"post": pid,
"parent": "0",
"comment": comment,
}
rv = client.post(
url_for("do.create_comment", pid=pid), data=data, follow_redirects=False
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
cids[comment] = reply["cid"]
# User reloads the page and can see all the comments.
rv = client.get(link, follow_redirects=True)
data = rv.data.decode("utf-8")
for comment in comments:
assert comment in data
# Check for the css class on the bottombar delete links.
assert len(re.findall("[^n]delete-comment", data)) == len(comments)
rv = client.post(
url_for("do.delete_comment"),
data={"csrf_token": csrf, "cid": cids["delete_user"]},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
# User can no longer see deleted comment.
rv = client.get(link, follow_redirects=True)
data = rv.data.decode("utf-8")
for comment in comments:
if comment == "delete_user":
assert comment not in data
else:
assert comment in data
log_out_current_user(client)
# Admin sees deleted comment content, and n-1 delete links.
log_in_user(client, admin)
rv = client.get(link, follow_redirects=True)
data = rv.data.decode("utf-8")
for comment in comments:
assert comment in data
# Check for the css class on the bottombar delete links.
assert len(re.findall("[^n]delete-comment", data)) == len(comments) - 1
assert "undelete-comment" not in data
# Admin tries to remove user's deleted comment.
rv = client.post(
url_for("do.delete_comment"),
data={"csrf_token": csrf, "cid": cids["delete_user"]},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "error"
assert reply["error"] == "Comment is already deleted"
# Admin removes two comments.
for comment in ["delete_admin", "delete_then_undelete_by_admin"]:
rv = client.post(
url_for("do.delete_comment"),
data={"csrf_token": csrf, "cid": cids[comment]},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
# Admin can still see all comment content and now has two undelete links.
rv = client.get(link, follow_redirects=True)
data = rv.data.decode("utf-8")
for comment in comments:
assert comment in data
# Check for the css class on the bottombar delete links.
assert len(re.findall("undelete-comment", data)) == 2
assert len(re.findall("[^n]delete-comment", data)) == len(comments) - 3
# Admin undeletes a comment.
rv = client.post(
url_for("do.undelete_comment"),
data={"csrf_token": csrf, "cid": cids["delete_then_undelete_by_admin"]},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
log_out_current_user(client)
# Mod sees content of deleted and undeleted comments.
log_in_user(client, mod)
rv = client.get(link, follow_redirects=True)
data = rv.data.decode("utf-8")
for comment in comments:
assert comment in data
# Mod should see delete links for undeleted comments.
assert len(re.findall("[^n]delete-comment", data)) == len(comments) - 2
assert len(re.findall("undelete-comment", data)) == 0
# Mod tries to remove already deleted comments.
for comment in ["delete_user", "delete_admin"]:
rv = client.post(
url_for("do.delete_comment"),
data={"csrf_token": csrf, "cid": cids[comment]},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "error"
assert reply["error"] == "Comment is already deleted"
# Mod tries to undelete comment deleted by admin.
rv = client.post(
url_for("do.undelete_comment"),
data={"csrf_token": csrf, "cid": cids["delete_admin"]},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "error"
assert reply["error"] == "Not authorized"
# Mod removes some comments.
for comment in [
"delete_mod",
"delete_then_undelete_by_mod",
"delete_undelete_by_mod_then_admin",
]:
rv = client.post(
url_for("do.delete_comment"),
data={"csrf_token": csrf, "cid": cids[comment]},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
# Mod sees content of all comments, and now has two undelete links.
rv = client.get(link, follow_redirects=True)
data = rv.data.decode("utf-8")
for comment in comments:
assert comment in data
# Mod should see delete links for undeleted comments.
assert len(re.findall("[^n]delete-comment", data)) == len(comments) - 5
assert len(re.findall("undelete-comment", data)) == 3
# Mod undeletes a comment.
rv = client.post(
url_for("do.undelete_comment"),
data={"csrf_token": csrf, "cid": cids["delete_then_undelete_by_mod"]},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
log_out_current_user(client)
log_in_user(client, admin)
# Admin has undelete links for the content admin deleted as well as
# the content the mod deleted.
assert len(re.findall("undelete-comment", data)) == 3
# Admin can undelete a comment deleted by the mod.
rv = client.post(
url_for("do.undelete_comment"),
data={"csrf_token": csrf, "cid": cids["delete_undelete_by_mod_then_admin"]},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
log_out_current_user(client)
log_in_user(client, user)
# User can see comments which are not deleted.
undeleted = [
"delete_then_undelete_by_admin",
"delete_then_undelete_by_mod",
"delete_undelete_by_mod_then_admin",
]
rv = client.get(link, follow_redirects=True)
data = rv.data.decode("utf-8")
for comment in comments:
if comment in undeleted:
assert comment in data
else:
assert comment not in data
# User should see delete links for undeleted comments.
assert len(re.findall("[^n]delete-comment", data)) == len(undeleted)
assert len(re.findall("undelete-comment", data)) == 0
# User can't undelete any comment
for comment in comments:
rv = client.post(
url_for("do.undelete_comment"),
data={"csrf_token": csrf, "cid": cids[comment]},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "error"
if comment in undeleted:
assert reply["error"] == "Comment is not deleted"
elif comment == "delete_user":
assert reply["error"] == "Can not un-delete a self-deleted comment"
else:
assert reply["error"] == "Not authorized"
def test_mod_post_delete(client, user_info, user2_info, user3_info):
config.update_value("site.sub_creation_min_level", 0)
user, admin, mod = user_info, user2_info, user3_info
register_user(client, admin)
promote_user_to_admin(client, admin)
log_out_current_user(client)
register_user(client, mod)
create_sub(client)
log_out_current_user(client)
register_user(client, user)
# User makes several posts.
pids = {}
posts = [
"delete_user",
"delete_admin",
"delete_then_undelete_by_admin",
"delete_mod",
"delete_then_undelete_by_mod",
"delete_undelete_by_mod_then_admin",
]
rv = client.get(url_for("subs.submit", ptype="text", sub="test"))
csrf = csrf_token(rv.data)
for post in posts:
rv = client.post(
url_for("subs.submit", ptype="text", sub="test"),
data={
"csrf_token": csrf,
"title": post,
"ptype": "text",
"content": "the content",
},
follow_redirects=False,
)
assert rv.status == "302 FOUND"
soup = BeautifulSoup(rv.data, "html.parser", from_encoding="utf-8")
link = soup.a.get_text()
pids[post] = link.split("/")[-1]
# User can see all the posts.
rv = client.get(url_for("sub.view_sub", sub="test"), follow_redirects=True)
data = rv.data.decode("utf-8")
for post in posts:
assert post in data
# User has a delete link on a single-post page.
rv = client.get(
url_for("sub.view_post", sub="test", pid=pids["delete_user"]),
follow_redirects=True,
)
assert len(re.findall("[^n]delete-post", rv.data.decode("utf-8"))) == 1
# User deletes a post.
rv = client.post(
url_for("do.delete_post"),
data={"csrf_token": csrf, "post": pids["delete_user"]},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
# User can now not see deleted post
rv = client.get(url_for("sub.view_sub", sub="test"), follow_redirects=True)
data = rv.data.decode("utf-8")
for post in posts:
if post == "delete_user":
assert post not in data
else:
assert post in data
# User can go to deleted post page but there is no delete or undelete link.
rv = client.get(
url_for("sub.view_post", sub="test", pid=pids["delete_user"]),
follow_redirects=True,
)
data = rv.data.decode("utf-8")
assert "the content" not in data
assert len(re.findall("delete-post", data)) == 0
log_out_current_user(client)
# Admin sees deleted post content, and no delete or undelete link.
log_in_user(client, admin)
rv = client.get(
url_for("sub.view_post", sub="test", pid=pids["delete_user"]),
follow_redirects=True,
)
data = rv.data.decode("utf-8")
assert "the content" in data
assert len(re.findall("delete-post", data)) == 0
# Admin tries to remove user's deleted post.
rv = client.post(
url_for("do.delete_post"),
data={"csrf_token": csrf, "post": pids["delete_user"]},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "error"
assert reply["error"] == ["Post was already deleted"]
# Admin deletes two posts.
for post in ["delete_admin", "delete_then_undelete_by_admin"]:
rv = client.post(
url_for("do.delete_post"),
data={"csrf_token": csrf, "post": pids[post], "reason": "admin"},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
# Admin can still see the post content and now has undelete links.
for post in ["delete_admin", "delete_then_undelete_by_admin"]:
rv = client.get(
url_for("sub.view_post", sub="test", pid=pids[post]), follow_redirects=True
)
data = rv.data.decode("utf-8")
assert "the content" in data
# Check for the css class on the bottombar delete links.
assert len(re.findall("undelete-post", data)) == 1
assert len(re.findall("[^n]delete-post", data)) == 0
# Admin undeletes a post.
rv = client.post(
url_for("do.undelete_post"),
data={
"csrf_token": csrf,
"post": pids["delete_then_undelete_by_admin"],
"reason": "admin",
},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
log_out_current_user(client)
# Mod can see content of all posts. Mod sees delete links for the
# posts which are not deleted, and does not have delete or
# undelete links for the deleted posts.
log_in_user(client, mod)
for post in posts:
rv = client.get(
url_for("sub.view_post", sub="test", pid=pids[post]), follow_redirects=True
)
data = rv.data.decode("utf-8")
assert post in data
assert "the content" in data
if post in ["delete_user", "delete_admin"]:
assert len(re.findall("delete-post", data)) == 0
else:
assert len(re.findall("undelete-post", data)) == 0
assert len(re.findall("[^n]delete-post", data)) == 1
# Mod tries to remove already deleted posts.
for post in ["delete_user", "delete_admin"]:
rv = client.post(
url_for("do.delete_post"),
data={"csrf_token": csrf, "post": pids[post], "reason": "mod"},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "error"
assert reply["error"] == ["Post was already deleted"]
# Mod can't undelete post deleted by admin.
rv = client.post(
url_for("do.undelete_post"),
data={"csrf_token": csrf, "post": pids["delete_admin"], "reason": "mod"},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "error"
assert reply["error"] == ["Not authorized"]
# Mod deletes some posts.
for post in [
"delete_mod",
"delete_then_undelete_by_mod",
"delete_undelete_by_mod_then_admin",
]:
rv = client.post(
url_for("do.delete_post"),
data={"csrf_token": csrf, "post": pids[post], "reason": "mod"},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
# Mod sees content of all posts, and now has two undelete links.
for post in posts:
rv = client.get(
url_for("sub.view_post", sub="test", pid=pids[post]), follow_redirects=True
)
data = rv.data.decode("utf-8")
assert post in data
assert "the content" in data
if post in ["delete_user", "delete_admin"]:
assert len(re.findall("delete-post", data)) == 0
elif post in [
"delete_mod",
"delete_then_undelete_by_mod",
"delete_undelete_by_mod_then_admin",
]:
assert len(re.findall("[^n]delete-post", data)) == 0
assert len(re.findall("undelete-post", data)) == 1
else:
assert len(re.findall("undelete-post", data)) == 0
assert len(re.findall("[^n]delete-post", data)) == 1
# Mod undeletes a post.
rv = client.post(
url_for("do.undelete_post"),
data={
"csrf_token": csrf,
"post": pids["delete_then_undelete_by_mod"],
"reason": "mod",
},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
log_out_current_user(client)
log_in_user(client, admin)
# Admin has undelete links for the content admin deleted as well as
# the content the mod deleted.
for post in posts:
rv = client.get(
url_for("sub.view_post", sub="test", pid=pids[post]), follow_redirects=True
)
data = rv.data.decode("utf-8")
assert post in data
assert "the content" in data
if post == "delete_user":
assert len(re.findall("delete-post", data)) == 0
elif post in [
"delete_admin",
"delete_mod",
"delete_undelete_by_mod_then_admin",
]:
assert len(re.findall("[^n]delete-post", data)) == 0
assert len(re.findall("undelete-post", data)) == 1
else:
assert len(re.findall("undelete-post", data)) == 0
assert len(re.findall("[^n]delete-post", data)) == 1
# Admin can undelete a post deleted by the mod.
rv = client.post(
url_for("do.undelete_post"),
data={
"csrf_token": csrf,
"post": pids["delete_undelete_by_mod_then_admin"],
"reason": "admin",
},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "ok"
log_out_current_user(client)
log_in_user(client, user)
# User can see posts which were deleted by mod or admin.
undeleted = [
"delete_then_undelete_by_admin",
"delete_then_undelete_by_mod",
"delete_undelete_by_mod_then_admin",
]
for post in posts:
rv = client.get(
url_for("sub.view_post", sub="test", pid=pids[post]), follow_redirects=True
)
data = rv.data.decode("utf-8")
assert post in data
if post != "delete_user":
assert "the content" in data
# User has a delete link for posts which are not deleted, and
# no undelete links.
if post in undeleted:
assert len(re.findall("[^n]delete-post", data)) == 1
else:
assert len(re.findall("[^n]delete-post", data)) == 0
assert len(re.findall("undelete-post", data)) == 0
for post in posts:
if post not in undeleted:
# User can't delete anything which has already been deleted.
rv = client.post(
url_for("do.delete_post"),
data={
"csrf_token": csrf,
"post": pids["delete_user"],
"reason": "user",
},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "error"
assert reply["error"] == ["Post was already deleted"]
# User can't undelete any posts.
for post in posts:
rv = client.post(
url_for("do.undelete_post"),
data={"csrf_token": csrf, "post": pids[post], "reason": "user"},
)
reply = json.loads(rv.data.decode("utf-8"))
assert reply["status"] == "error"
if post == "delete_user":
assert reply["error"] == ["Can not un-delete a self-deleted post"]
elif "undelete" in post:
assert reply["error"] == ["Post is not deleted"]
else:
assert reply["error"] == ["Not authorized"]
def test_totp_required(client, user_info, test_config):
register_user(client, user_info)
promote_user_to_admin(client, user_info)
rv = client.get(url_for("admin.index"))
assert rv.status_code == 302
assert rv.location == url_for("admin.auth")
