def test_user_update_user_can_update_herself(self):
'''Users should be authorized to update their own accounts.'''
# Make a mock ckan.model.User object, Fred.
fred = factories.MockUser(name='fred')
# Make a mock ckan.model object.
mock_model = mock.MagicMock()
# model.User.get(user_id) should return our mock user.
mock_model.User.get.return_value = fred
# Put the mock model in the context.
# This is easier than patching import ckan.model.
context = {'model': mock_model}
# The 'user' in the context has to match fred.name, so that the
# auth function thinks that the user being updated is the same user as
# the user who is logged-in.
context['user'] = fred.name
# Make Fred try to update his own user name.
params = {
'id': fred.id,
'name': 'updated_user_name',
}
result = helpers.call_auth('user_update', context=context, **params)
assert result['success'] is True
def test_user_update_with_no_user_in_context(self):
# Make a mock ckan.model.User object.
mock_user = factories.MockUser(name='fred')
# Make a mock ckan.model object.
mock_model = mock.MagicMock()
# model.User.get(user_id) should return our mock user.
mock_model.User.get.return_value = mock_user
# Put the mock model in the context.
# This is easier than patching import ckan.model.
context = {'model': mock_model}
# For this test we're going to have no 'user' in the context.
context['user'] = None
params = {
'id': mock_user.id,
'name': 'updated_user_name',
}
result = helpers.call_auth('user_update', context=context, **params)
assert result['success'] is False
# FIXME: Be nice if this error message was a complete sentence.
assert result['msg'] == 'Have to be logged in to edit user'
def test_user_update_user_cannot_update_another_user(self):
'''Users should not be able to update other users' accounts.'''
# 1. Setup.
# Make a mock ckan.model.User object, Fred.
fred = factories.MockUser(name='fred')
# Make a mock ckan.model object.
mock_model = mock.MagicMock()
# model.User.get(user_id) should return Fred.
mock_model.User.get.return_value = fred
# Put the mock model in the context.
# This is easier than patching import ckan.model.
context = {'model': mock_model}
# The logged-in user is going to be Bob, not Fred.
context['user'] = '******'
# 2. Call the function that's being tested, once only.
# Make Bob try to update Fred's user account.
params = {
'id': fred.id,
'name': 'updated_user_name',
}
result = helpers.call_auth('user_update', context=context, **params)
# 3. Make assertions about the return value and/or side-effects.
assert result['success'] is False
# FIXME: This error message should contain Fred's user name not his id.
assert result['msg'] == ('User bob not authorized to edit user '
'fred_user_id')
def test_user_update_user_cannot_update_another_user(self):
'''Users should not be able to update other users' accounts.'''
# 1. Setup.
# Make a mock ckan.model.User object, Fred.
fred = factories.MockUser(name='fred')
# Make a mock ckan.model object.
mock_model = mock.MagicMock()
# model.User.get(user_id) should return Fred.
mock_model.User.get.return_value = fred
# Put the mock model in the context.
# This is easier than patching import ckan.model.
context = {'model': mock_model}
# The logged-in user is going to be Bob, not Fred.
context['user'] = '******'
# 2. Call the function that's being tested, once only.
# Make Bob try to update Fred's user account.
params = {
'id': fred.id,
'name': 'updated_user_name',
}
# 3. Make assertions about the return value and/or side-effects.
nose.tools.assert_raises(logic.NotAuthorized,
helpers.call_auth,
'user_update',
context=context,
**params)
def test_user_update_visitor_cannot_update_user(self):
'''Visitors should not be able to update users' accounts.'''
# Make a mock ckan.model.User object, Fred.
fred = factories.MockUser(name='fred')
# Make a mock ckan.model object.
mock_model = mock.MagicMock()
# model.User.get(user_id) should return Fred.
mock_model.User.get.return_value = fred
# Put the mock model in the context.
# This is easier than patching import ckan.model.
context = {'model': mock_model}
# No user is going to be logged-in.
context['user'] = '******'
# Make the visitor try to update Fred's user account.
params = {
'id': fred.id,
'name': 'updated_user_name',
}
result = helpers.call_auth('user_update', context=context, **params)
assert result['success'] is False
# FIXME: This is a terrible error message, containing both 127.0.0.1
# and Fred's user id (not his name).
assert result['msg'] == ('User 127.0.0.1 not authorized to edit user '
'fred_user_id')
def test_user_update_visitor_cannot_update_user(self):
'''Visitors should not be able to update users' accounts.'''
# Make a mock ckan.model.User object, Fred.
fred = factories.MockUser(name='fred')
# Make a mock ckan.model object.
mock_model = mock.MagicMock()
# model.User.get(user_id) should return Fred.
mock_model.User.get.return_value = fred
# Put the mock model in the context.
# This is easier than patching import ckan.model.
context = {'model': mock_model}
# No user is going to be logged-in.
context['user'] = '******'
# Make the visitor try to update Fred's user account.
params = {
'id': fred.id,
'name': 'updated_user_name',
}
nose.tools.assert_raises(logic.NotAuthorized,
helpers.call_auth,
'user_update',
context=context,
**params)
def test_user_update_with_no_user_in_context(self):
# Make a mock ckan.model.User object.
mock_user = factories.MockUser(name='fred')
# Make a mock ckan.model object.
mock_model = mock.MagicMock()
# model.User.get(user_id) should return our mock user.
mock_model.User.get.return_value = mock_user
# Put the mock model in the context.
# This is easier than patching import ckan.model.
context = {'model': mock_model}
# For this test we're going to have no 'user' in the context.
context['user'] = None
params = {
'id': mock_user.id,
'name': 'updated_user_name',
}
nose.tools.assert_raises(logic.NotAuthorized,
helpers.call_auth,
'user_update',
context=context,
**params)
def test_user_generate_apikey_for_another_user(self):
fred = factories.MockUser(name='fred')
bob = factories.MockUser(name='bob')
mock_model = mock.MagicMock()
mock_model.User.get.return_value = fred
# auth_user_obj shows user as logged in for non-anonymous auth
# functions
context = {'model': mock_model, 'auth_user_obj': bob}
context['user'] = bob.name
params = {
'id': fred.id,
}
nose.tools.assert_raises(logic.NotAuthorized, helpers.call_auth,
'user_generate_apikey', context=context,
**params)
def test_user_generate_apikey_without_logged_in_user(self):
fred = factories.MockUser(name='fred')
mock_model = mock.MagicMock()
mock_model.User.get.return_value = fred
context = {'model': mock_model}
context['user'] = None
params = {
'id': fred.id,
}
nose.tools.assert_raises(logic.NotAuthorized, helpers.call_auth,
'user_generate_apikey', context=context,
**params)
def test_user_generate_own_apikey(self):
fred = factories.MockUser(name='fred')
mock_model = mock.MagicMock()
mock_model.User.get.return_value = fred
# auth_user_obj shows user as logged in for non-anonymous auth
# functions
context = {'model': mock_model, 'auth_user_obj': fred}
context['user'] = fred.name
params = {
'id': fred.id,
}
result = helpers.call_auth('user_generate_apikey', context=context,
**params)
assert result is True
def test_mockuser_factory(self):
mockuser1 = factories.MockUser()
mockuser2 = factories.MockUser()
assert_not_equals(mockuser1['id'], mockuser2['id'])
