def test_creating_new_unqualified_users_without_edit_qualifications(
client, app, test_user, auth):
with app.app_context():
user = User.query.get(1)
user.edit_qualifications = False
db.session.commit()
auth.login("test")
test_user.update({
"username": "******",
"password": "******",
"edit_qualifications": False,
"qualifications": [],
})
response = client.post("/api/v1/users", json=test_user)
assert response.status_code == 200
assert response.is_json
assert response.json["username"] == "a_new_user"
assert response.json["qualifications"] == []
assert not response.json["edit_qualifications"]
assert "password" not in response.json
with app.app_context():
assert count_users_with_name(test_user["username"]) == 1
assert is_password_correct(test_user["username"],
test_user["password"])
def test_create_user_command(runner, app):
result = runner.invoke(args=[
"create-user",
"--username",
"test2",
"--password",
"123456",
"--create-users",
"no",
"--update-users=1",
"--edit-qualifications",
"false",
"--create-items=0",
"--manage-checkouts=1",
])
assert "Created user" in result.output
with app.app_context():
user = User.query.filter_by(username="******").first()
assert user is not None
assert is_password_correct("test2", "123456")
assert not user.create_users
assert user.update_users
assert not user.edit_qualifications
assert not user.create_items
assert user.manage_checkouts
def test_updating_user_permissions_subset(client, app, test_user, auth):
with app.app_context():
user = User.query.get(1)
user.edit_qualifications = False
db.session.commit()
auth.login("test")
test_user.update({
"password": "******",
"edit_qualifications": False,
"update_users": False,
})
response = client.put("/api/v1/users/1", json=test_user)
assert response.status_code == 200
assert response.is_json
assert response.json["username"] == "test"
assert response.json["qualifications"] == [{
"id": 1,
"name": "Driver's License"
}]
assert not response.json["update_users"]
assert not response.json["edit_qualifications"]
assert "password" not in response.json
with app.app_context():
user = User.query.get(1)
assert not user.edit_qualifications
assert not user.update_users
assert is_password_correct(test_user["username"],
test_user["password"])
def test_updating_user_unauthenticated(client, app, test_user):
test_user["password"] = "******"
response = client.put("/api/v1/users/1", json=test_user)
assert response.status_code == 403
assert response.is_json
assert response.json["reason"] == "authentication_required"
with app.app_context():
assert count_users_with_name(test_user["username"]) == 1
assert not is_password_correct(test_user["username"],
test_user["password"])
def test_creating_existing_user(client, app, test_user, auth):
auth.login("test")
test_user.update({"password": "******"})
response = client.post("/api/v1/users", json=test_user)
assert response.status_code == 400
assert response.is_json
assert response.json["reason"] == "user_exists"
with app.app_context():
assert count_users_with_name(test_user["username"]) == 1
assert not is_password_correct(test_user["username"],
test_user["password"])
def test_updating_user_with_insufficient_permissions(client, app, test_user,
auth):
auth.login("min_permissions_user")
test_user["password"] = "******"
response = client.put("/api/v1/users/1", json=test_user)
assert response.status_code == 403
assert response.is_json
assert response.json["reason"] == "insufficient_permissions"
with app.app_context():
assert count_users_with_name(test_user["username"]) == 1
assert not is_password_correct(test_user["username"],
test_user["password"])
def test_handle_registration_with_valid_toke(client, app):
response = client.post(
"/api/v1/registration/valid",
json={"username": "******", "password": "******", "repeat_password": "******"},
)
assert response.status_code == 200
assert response.is_json
assert response.json["success"]
with app.app_context():
assert User.query.filter_by(username="******").count() == 1
assert RegistrationToken.query.filter_by(token="valid").count() == 0
assert is_password_correct("new_user", "abc")
def test_handle_registration_with_existing_user(client, app):
response = client.post(
"/api/v1/registration/valid",
json={"username": "******", "password": "******", "repeat_password": "******"},
)
# Need to return the same as with new user to avoid user enumeration
assert response.status_code == 200
assert response.is_json
assert response.json["success"]
with app.app_context():
assert User.query.filter_by(username="******").count() == 1
assert RegistrationToken.query.filter_by(token="valid").count() == 0
assert not is_password_correct("test", "abc")
def test_updating_user_permissions_not_subset(client, app, test_user, auth):
with app.app_context():
user = User.query.get(1)
user.edit_qualifications = False
db.session.commit()
auth.login("test")
test_user.update({"password": "******"})
response = client.put("/api/v1/users/1", json=test_user)
assert response.status_code == 403
assert response.is_json
assert response.json["reason"] == "permissions_not_subset"
with app.app_context():
user = User.query.get(1)
assert not user.edit_qualifications
assert not is_password_correct(test_user["username"],
test_user["password"])
def test_updating_user_except_password(client, app, test_user, auth):
auth.login("test")
test_user["username"] = "******"
del test_user["password"]
response = client.put("/api/v1/users/1", json=test_user)
assert response.status_code == 200
assert response.is_json
assert response.json["username"] == "test_1"
assert response.json["qualifications"] == [{
"id": 1,
"name": "Driver's License"
}]
assert response.json["update_users"]
assert "password" not in response.json
with app.app_context():
assert count_users_with_name("test") == 0
assert count_users_with_name(test_user["username"]) == 1
assert is_password_correct(test_user["username"], "test")
def test_creating_new_users(client, app, test_user, auth):
auth.login("test")
test_user.update({"username": "******", "password": "******"})
response = client.post("/api/v1/users", json=test_user)
assert response.status_code == 200
assert response.is_json
assert response.json["username"] == "a_new_user"
assert response.json["qualifications"] == [{
"id": 1,
"name": "Driver's License"
}]
assert response.json["update_users"]
assert "password" not in response.json
with app.app_context():
assert count_users_with_name(test_user["username"]) == 1
assert is_password_correct(test_user["username"],
test_user["password"])
user = User.query.filter_by(username=test_user["username"]).first()
assert user.qualifications[0].id == 1
assert user.qualifications[0].name == "Driver's License"
def test_update_self_password(client, app, auth):
auth.login("min_permissions_user")
response = client.put(
"/api/v1/users/me",
json={
"id": 2,
"username": "******",
"password": "******",
"create_users": False,
"update_users": False,
"edit_qualifications": False,
"create_items": False,
"manage_checkouts": False,
"qualifications": [],
},
)
assert response.status_code == 200
assert response.is_json
assert response.json["username"] == "min_permissions_user"
assert "password" not in response.json
with app.app_context():
assert is_password_correct("min_permissions_user", "a_new_password")
