def test_new_user_not_authed():
try:
ru = User.create_user("teacher_coll1")
User.create_new_user(ru, 'college-1', 'first', 'last')
assert False
except Exception as e:
assert "teacher_coll1" in str(e)
def test_new_user_not_allowed():
try:
ru = User.create_user("student_coll1_1", "cows")
User.create_new_user(ru, 'college-1', 'first', 'last')
assert False
except Exception as e:
assert "student_coll1_1" in str(e)
def verify_email(username, code):
"""
Verifies to the system that an email address exists, and assigns it to a user.
Expected to be used only by users clicking links in email-verfication emails.
Not part of the documented API.
"""
change_request = PendingEmail(username)
if not change_request.in_db:
return "No such change request", 404
if change_request.age > timedelta(days = 2):
return "Request not valid", 410
if change_request.verify_code != code:
return "Invalid verification code", 403
log_action('changing email', user = username, new_email = change_request.new_email)
u = User(change_request.username)
u.set_email(change_request.new_email)
u.save()
return "Email address successfully changed", 200
def helper(username, password):
u = User.create_user(username, password)
u1 = User.create_user(username, password)
assert u.can_view(u), "should be able to same instance"
assert u.can_view(u1), "should be able to see other authenticated self"
u2 = User.create_user(username)
assert u.can_view(u2), "should be able to see other plain self"
def verify_email(username, code):
"""
Verifies to the system that an email address exists, and assigns it to a user.
Expected to be used only by users clicking links in email-verfication emails.
Not part of the documented API.
"""
change_request = PendingEmail(username)
if not change_request.in_db:
return "No such change request", 404, PLAINTEXT_HEADER
email_change_days = config.config.getint('nemesis', 'email_change_days')
max_age = timedelta(days = email_change_days)
if change_request.age > max_age:
return "Request not valid", 410, PLAINTEXT_HEADER
if change_request.verify_code != code:
return "Invalid verification code", 403, PLAINTEXT_HEADER
log_action('changing email', user = username, new_email = change_request.new_email)
u = User(change_request.username)
u.set_email(change_request.new_email)
u.save()
return "Email address successfully changed", 200, PLAINTEXT_HEADER
def test_email_change_request():
""" Test that change requests via POST at /user/ are handled correclty. """
username = "******"
old_email = User(username).email
new_email = "*****@*****.**"
params = {
"username": "******",
"password": "******",
"new_email": new_email,
}
r, data = test_helpers.server_post("/user/student_coll1_1", params)
assert r.status == 200, data
user = User(username)
assert user.email == old_email
ps = test_helpers.last_email()
toaddr = ps.toaddr
assert toaddr == new_email
vars = ps.template_vars
first_name = user.first_name
assert first_name == vars['name']
template = ps.template_name
assert template == 'change_email'
test_helpers.assert_load_template(template, vars)
pe = PendingEmail(username)
assert pe.in_db
assert pe.new_email == new_email
def test_student_post_doesnt_set_first_last_name():
old_first = "student1i"
old_last = "student"
params = {
"username": "******",
"password": "******",
"new_first_name": "asdf",
"new_last_name": "cheese",
}
r, data = test_helpers.server_post("/user/student_coll1_1", params)
assert r.status == 200
details_dict = User("student_coll1_1").details_dictionary_for(
User.create_user("student_coll1_1", "cows"))
# restore original data
u = User("student_coll1_1")
u.set_first_name(old_first)
u.set_last_name(old_last)
u.save()
assert details_dict["first_name"] == old_first
assert details_dict["last_name"] == old_last
def test_authed_teachers_cant_see_blueshirt():
u1 = User.create_user("teacher_coll1", "facebees")
u2 = User.create_user("teacher_coll2", "noway")
users = [u1, u2]
a = User.create_user("blueshirt")
assert not any([u.can_administrate(a) for u in users])
def test_new_user_wrong_college():
try:
ru = User.create_user("teacher_coll1", "facebees")
User.create_new_user(ru, 'college-2', 'first', 'last')
assert False
except Exception as e:
assert "teacher_coll1" in str(e)
assert 'college-2' in str(e)
def register_user(requesting_user):
if not requesting_user.can_register_users:
return json.dumps({"error":"YOU_CANT_REGISTER_USERS"}), 403
teacher_username = requesting_user.username
college_group = request.form["college"].strip()
first_name = request.form["first_name"].strip()
last_name = request.form["last_name"].strip()
email = request.form["email"].strip()
team = request.form["team"].strip()
if College(college_group) not in requesting_user.colleges:
return json.dumps({"error":"BAD_COLLEGE"}), 403
if team not in [t.name for t in College(college_group).teams]:
return json.dumps({"error":"BAD_TEAM"}), 403
if not helpers.is_email_valid(email):
return json.dumps({"error":"BAD_EMAIL"}), 403
if not helpers.is_name_valid(first_name):
return json.dumps({"error":"BAD_FIRST_NAME"}), 403
if not helpers.is_name_valid(last_name):
return json.dumps({"error":"BAD_LAST_NAME"}), 403
if User.name_used(first_name, last_name) or helpers.email_used(email):
return json.dumps({"error":"DETAILS_ALREADY_USED"}), 403
u = User.create_new_user(requesting_user, college_group, first_name, last_name)
verify_code = helpers.create_verify_code(u.username, email)
pu = PendingUser(u.username)
pu.teacher_username = teacher_username
pu.college = college_group
pu.email = email
pu.team = team
pu.verify_code = verify_code
pu.save()
log_action('registering user', pu)
url = url_for('activate_account', username=u.username, code=verify_code, _external=True)
pu.send_welcome_email(first_name, url)
rqu_email_vars = { 'name': requesting_user.first_name,
'activation_days': ACTIVATION_DAYS,
'pu_first_name': first_name,
'pu_last_name': last_name,
'pu_username': pu.username,
'pu_college': College(pu.college).name,
'pu_email': pu.email,
'pu_team': pu.team
}
mailer.email_template(requesting_user.email, 'user_requested', rqu_email_vars)
return "{}", 202
def form_helper(rq_user, rq_pass, new_fname, new_lname):
new_email = "*****@*****.**"
params = {
"username": rq_user,
"password": rq_pass,
"first_name": new_fname,
"last_name": new_lname,
"email": new_email,
"team": "team-ABC",
"college": "college-1"
}
r, data = test_helpers.server_post("/registrations", params)
status = r.status
assert status == 202, data
created = User.create_user('1_rt1')
assert created.email == ''
pending = PendingUser('1_rt1')
assert pending.email == "*****@*****.**"
assert pending.team == "team-ABC"
assert pending.college == "college-1"
email_datas = test_helpers.last_n_emails(2)
student_ps = email_datas[0]
template = student_ps.template_name
assert template == 'new_user'
to = student_ps.toaddr
assert to == new_email
vars = student_ps.template_vars
assert new_fname == vars['name']
vcode = pending.verify_code
assert vcode in vars['activation_url']
test_helpers.assert_load_template(template, vars)
teacher = User.create_user(rq_user)
teacher_ps = email_datas[1]
template = teacher_ps.template_name
assert template == 'user_requested'
to = teacher_ps.toaddr
assert to == teacher.email
vars = teacher_ps.template_vars
assert new_fname == vars['pu_first_name']
assert new_lname == vars['pu_last_name']
assert new_email == vars['pu_email']
assert '1_rt1' == vars['pu_username']
assert 'team-ABC' == vars['pu_team']
assert 'college the first' == vars['pu_college']
vars_str = teacher_ps.template_vars_json
assert vcode not in vars_str, "Should not contain the verification code."
test_helpers.assert_load_template(template, vars)
def set_user_details(requesting_user, userid):
user_to_update = User.create_user(userid)
can_admin = requesting_user.can_administrate(user_to_update)
if request.form.get(
"media_consent"
) == 'true' and requesting_user.can_record_media_consent:
if not user_to_update.has_media_consent:
user_to_update.got_media_consent()
notify_ticket_available(user_to_update)
user_to_update.save()
if not can_admin:
return '{}', 200
elif not can_admin:
return AUTHORIZATION_DENIED
assert can_admin
user_to_update = User.create_user(userid)
if request.form.has_key("new_email") and not requesting_user.is_blueshirt:
new_email = request.form["new_email"]
request_new_email(user_to_update, new_email)
# Students aren't allowed to update their own names
# at this point, if the requesting_user is valid, we know it's a self-edit
if not requesting_user.is_student:
fname = request.form.get("new_first_name")
if fname:
user_to_update.set_first_name(fname)
lname = request.form.get("new_last_name")
if lname:
user_to_update.set_last_name(lname)
if request.form.has_key("new_team"):
team = request.form["new_team"]
if (not user_to_update.is_blueshirt
) and requesting_user.manages_team(team):
user_to_update.set_team(team)
if request.form.has_key(
"new_type"
) and requesting_user.is_teacher and user_to_update != requesting_user:
if request.form["new_type"] == 'student':
user_to_update.make_student()
elif request.form["new_type"] == 'team-leader':
user_to_update.make_teacher()
if request.form.get("withdrawn") == 'true' and not user_to_update.has_withdrawn \
and requesting_user.can_withdraw(user_to_update):
user_to_update.withdraw()
user_to_update.save()
# Do this separately and last because it makes an immediate change
# to the underlying database, rather than waiting for save().
if request.form.has_key("new_password"):
user_to_update.set_password(request.form["new_password"])
return '{}', 200
def form_helper(rq_user, rq_pass, new_fname, new_lname):
new_email = "*****@*****.**"
params = {"username":rq_user,
"password":rq_pass,
"first_name":new_fname,
"last_name":new_lname,
"email":new_email,
"team":"team-ABC",
"college":"college-1"}
r,data = test_helpers.server_post("/registrations", params)
status = r.status
assert status == 202, data
created = User.create_user('1_rt1')
assert created.email == ''
pending = PendingUser('1_rt1')
assert pending.email == "*****@*****.**"
assert pending.team == "team-ABC"
assert pending.college == "college-1"
email_datas = test_helpers.last_n_emails(2)
student_ps = email_datas[0]
template = student_ps.template_name
assert template == 'new_user'
to = student_ps.toaddr
assert to == new_email
vars = student_ps.template_vars
assert new_fname == vars['name']
vcode = pending.verify_code
assert vcode in vars['activation_url']
test_helpers.assert_load_template(template, vars)
teacher = User.create_user(rq_user)
teacher_ps = email_datas[1]
template = teacher_ps.template_name
assert template == 'user_requested'
to = teacher_ps.toaddr
assert to == teacher.email
vars = teacher_ps.template_vars
assert new_fname == vars['pu_first_name']
assert new_lname == vars['pu_last_name']
assert new_email == vars['pu_email']
assert '1_rt1' == vars['pu_username']
assert 'team-ABC' == vars['pu_team']
assert 'college the first' == vars['pu_college']
vars_str = teacher_ps.template_vars_json
assert vcode not in vars_str, "Should not contain the verification code."
test_helpers.assert_load_template(template, vars)
def test_post_sets_own_password_and_name():
old_password = "******"
new_password = '******'
old_first = "Blue"
old_last = "Shirt"
params = {"username":"******",
"password":old_password,
"new_password":new_password,
"new_first_name":'new_first',
"new_last_name":'new_last',
}
r,data = test_helpers.server_post("/user/blueshirt", params)
assert r.status == 200
assert User("blueshirt")._user.bind(new_password)
u = User("blueshirt")
first = u.first_name
last = u.last_name
u.set_password(old_password)
u.set_first_name(old_first)
u.set_last_name(old_last)
u.save()
assert first == 'new_first'
assert last == 'new_last'
def clear_old_registrations():
for pu in PendingUser.ListAll():
# deliberately a larger delta than we restrict against to avoid
# accidentally removing vaild entries
if pu.age > timedelta(days = 3):
pu.delete()
expired = User(pu.username)
expired.delete()
team_leader = User(pu.teacher_username)
inform_team_lead_registration_expired(team_leader, expired)
def helper(other_username):
blueshirt = User.create_user("blueshirt-extra", "blueshirt")
competitor = User.create_user(other_username)
assert blueshirt.can_view(competitor), "Sanity check"
details = competitor.details_dictionary_for(blueshirt)
for keyname in ["username", "first_name", "last_name", "is_student", \
"is_team_leader", "has_withdrawn", "has_media_consent", \
"teams", "colleges"]:
assert keyname in details
assert not 'email' in details, "No need to be able to see their email"
def test_post_doesnt_set_blank_last_name():
old_last = User("student_coll1_1").last_name
params = {
"username": "******",
"password": "******",
"new_last_name": "",
}
r, data = test_helpers.server_post("/user/student_coll1_1", params)
assert r.status == 200
assert User("student_coll1_1").last_name == old_last
def test_set_password():
u = User.create_user("teacher_coll1", "facebees")
u.set_password("bacon")
u.save()
u = User.create_user("teacher_coll1", "bacon")
assert u.can_administrate("student_coll1_1")
u.set_password("facebees")
u.save()
def test_registration_rq_from_blueshirt():
new_email = "*****@*****.**"
params = {
"username": "******",
"password": "******",
"first_name": NEW_USER_FNAME,
"last_name": NEW_USER_LNAME,
"email": new_email,
"team": "team-ABC",
"college": "college-1",
}
r, data = test_helpers.server_post("/registrations", params)
status = r.status
assert status == 202, data
created = User.create_user("1_rt1")
assert created.email == ""
pending = PendingUser("1_rt1")
assert pending.email == "*****@*****.**"
assert pending.team == "team-ABC"
assert pending.college == "college-1"
email_datas = test_helpers.last_n_emails(2)
student_ps = email_datas[0]
template = student_ps.template_name
assert template == "new_user"
to = student_ps.toaddr
assert to == new_email
vars = student_ps.template_vars
assert NEW_USER_FNAME == vars["name"]
vcode = pending.verify_code
assert vcode in vars["activation_url"]
teacher = User.create_user("blueshirt")
teacher_ps = email_datas[1]
template = teacher_ps.template_name
assert template == "user_requested"
to = teacher_ps.toaddr
assert to == teacher.email
vars = teacher_ps.template_vars
assert NEW_USER_FNAME == vars["pu_first_name"]
assert NEW_USER_LNAME == vars["pu_last_name"]
assert new_email == vars["pu_email"]
assert "1_rt1" == vars["pu_username"]
assert "team-ABC" == vars["pu_team"]
assert "college the first" == vars["pu_college"]
vars_str = teacher_ps.template_vars_json
assert vcode not in vars_str, "Should not contain the verification code."
def clear_old_registrations():
for pu in PendingUser.ListAll():
# deliberately a larger delta than we restrict against to avoid
# accidentally removing vaild entries
if pu.age > timedelta(days=3):
log_action('expiring registration', pu)
pu.delete()
expired = User(pu.username)
expired.delete()
team_leader = User(pu.teacher_username)
inform_team_lead_registration_expired(team_leader, expired)
def set_user_details(requesting_user, userid):
user_to_update = User.create_user(userid)
can_admin = requesting_user.can_administrate(user_to_update)
if request.form.get("media_consent") == 'true' and requesting_user.can_record_media_consent:
if not user_to_update.has_media_consent:
user_to_update.got_media_consent()
notify_ticket_available(user_to_update)
user_to_update.save()
if not can_admin:
return '{}', 200
elif not can_admin:
return AUTHORIZATION_DENIED
assert can_admin
user_to_update = User.create_user(userid)
if request.form.has_key("new_email") and not requesting_user.is_blueshirt:
new_email = request.form["new_email"]
request_new_email(user_to_update, new_email)
# Students aren't allowed to update their own names
# at this point, if the requesting_user is valid, we know it's a self-edit
if not requesting_user.is_student:
fname = request.form.get("new_first_name")
if fname:
user_to_update.set_first_name(fname)
lname = request.form.get("new_last_name")
if lname:
user_to_update.set_last_name(lname)
if request.form.has_key("new_team"):
team = request.form["new_team"]
if (not user_to_update.is_blueshirt) and requesting_user.manages_team(team):
user_to_update.set_team(team)
if request.form.has_key("new_type") and requesting_user.is_teacher and user_to_update != requesting_user:
if request.form["new_type"] == 'student':
user_to_update.make_student()
elif request.form["new_type"] == 'team-leader':
user_to_update.make_teacher()
if request.form.get("withdrawn") == 'true' and not user_to_update.has_withdrawn \
and requesting_user.can_withdraw(user_to_update):
user_to_update.withdraw()
user_to_update.save()
# Do this separately and last because it makes an immediate change
# to the underlying database, rather than waiting for save().
if request.form.has_key("new_password"):
user_to_update.set_password(request.form["new_password"])
return '{}', 200
def register_user():
ah = AuthHelper(request)
if ah.auth_will_succeed:
requesting_user = ah.user
if requesting_user.can_register_users:
teacher_username = requesting_user.username
college_group = request.form["college"].strip()
first_name = request.form["first_name"].strip()
last_name = request.form["last_name"].strip()
email = request.form["email"].strip()
team = request.form["team"].strip()
if College(college_group) not in requesting_user.colleges:
return json.dumps({"error":"BAD_COLLEGE"}), 403
if team not in [t.name for t in College(college_group).teams]:
return json.dumps({"error":"BAD_TEAM"}), 403
if User.name_used(first_name, last_name) or helpers.email_used(email):
return json.dumps({"error":"DETAILS_ALREADY_USED"}), 403
u = User.create_new_user(requesting_user, college_group, first_name, last_name)
verify_code = helpers.create_verify_code(u.username, email)
pu = PendingUser(u.username)
pu.teacher_username = teacher_username
pu.college = college_group
pu.email = email
pu.team = team
pu.verify_code = verify_code
pu.save()
url = url_for('activate_account', username=u.username, code=verify_code, _external=True)
pu.send_welcome_email(first_name, url)
rqu_email_vars = { 'name': requesting_user.first_name,
'pu_first_name': first_name,
'pu_last_name': last_name,
'pu_username': pu.username,
'pu_college': College(pu.college).name,
'pu_email': pu.email,
'pu_team': pu.team
}
mailer.email_template(requesting_user.email, 'user_requested', rqu_email_vars)
return "{}", 202
else:
return json.dumps({"error":"YOU_CANT_REGISTER_USERS"}),403
else:
return ah.auth_error_json, 403
def test_post_sets_others_password():
old_password = "******"
params = {"username":"******",
"password":"******",
"new_password":"******",
}
r,data = test_helpers.server_post("/user/student_coll1_1", params)
assert r.status == 200
assert User("student_coll1_1")._user.bind("com")
u = User("student_coll1_1")
u.set_password(old_password)
u.save()
def test_team_leader_can_become_student():
# We need to test against another teacher, because team leaders demoting themselves is not allowed
u = User("student_coll1_1")
u.make_teacher()
u.save()
params = {"username": "******",
"password": "******",
"new_type": "student",
}
r,data = test_helpers.server_post("/user/student_coll1_1", params)
assert r.status == 200
assert not User("student_coll1_1").is_teacher
def test_registration_name_in_use():
params = {"username":"******",
"password":"******",
"first_name":'student2', # student_coll1_2
"last_name":'student',
"email":"*****@*****.**",
"team":"team-ABC",
"college":"college-1"}
r,data = test_helpers.server_post("/registrations", params)
status = r.status
assert status == 403, data
assert 'DETAILS_ALREADY_USED' in data
assert len(test_helpers.get_registrations()) == 0
try:
created = User.create_user('1_ss1')
assert False, "Should not have created user"
except:
pass
pending = PendingUser('1_ss1')
assert not pending.in_db
test_helpers.assert_no_emails()
def test_registration_bad_frist_name():
params = {"username":"******",
"password":"******",
"first_name":NEW_USER_FNAME,
"last_name":'2'+NEW_USER_LNAME,
"email":"*****@*****.**",
"team":"team-ABC",
"college":"college-1"}
r,data = test_helpers.server_post("/registrations", params)
assert r.status == 403
assert 'BAD_LAST_NAME' in data
assert len(test_helpers.get_registrations()) == 0
try:
created = User.create_user('1_rt1')
assert False, "Should not have created user"
except:
pass
pending = PendingUser('1_rt1')
assert not pending.in_db
test_helpers.assert_no_emails()
def test_post_by_blueshirt(self):
params = {"username": "******", "password": "******"}
r, data = test_helpers.server_post(
"/send-password-reset/student_coll1_1", params)
self.assertEqual(202, r.status, data)
user = User('student_coll1_1')
ps = test_helpers.last_email()
toaddr = ps.toaddr
self.assertEqual(user.email, toaddr)
vars = ps.template_vars
self.assertEqual(user.first_name, vars['name'], "Wrong first name")
self.assertEqual('Blue Shirt', vars['requestor_name'],
"Wrong requestor name")
template = ps.template_name
self.assertEqual('password_reset', template, "Wrong email template")
test_helpers.assert_load_template(template, vars)
ppr = PendingPasswordReset('student_coll1_1')
self.assertTrue(ppr.in_db,
"{0} should been in the database.".format(ppr))
self.assertEqual('blueshirt', ppr.requestor_username,
"Wrong requestor username.")
self.assertIn(ppr.verify_code, vars['password_reset_url'],
"Wrong verify code")
def test_user_properties_team_leader():
u = User.create_user("teacher_coll2", "noway")
data = u.details_dictionary_for(u)
assert data['is_team_leader']
assert not data['is_student']
assert not data['is_blueshirt']
def test_user_properties_student():
u = User.create_user("student_coll1_1", "cows")
data = u.details_dictionary_for(u)
assert data['is_student']
assert not data['is_team_leader']
assert not data['is_blueshirt']
def test_authed_teacher_cant_see_other_students():
a = User.create_user("teacher_coll1", "facebees")
users = ["student_coll2_1", "student_coll2_2"]
results = [a.can_administrate(user) for user in users]
assert not any(results)
def test_authed_blueshirt_cant_see_other_students():
a = User.create_user("blueshirt", "blueshirt")
users = ["student_coll2_2", "student_coll2_1"]
results = [a.can_administrate(user) for user in users]
assert not any(results)
def test_registration_rq_from_student():
test_helpers.delete_db()
params = {"username":"******",
"password":"******",
"first_name":"register",
"last_name":"this.user",
"email":"*****@*****.**",
"team":"team-ABC",
"college":"college-1"}
r,data = test_helpers.server_post("/registrations", params)
status = r.status
assert status == 403
assert 'YOU_CANT_REGISTER_USERS' in data
assert len(test_helpers.get_registrations()) == 0
try:
created = User.create_user('2_rt1')
assert False, "Should not have created user"
except:
pass
pending = PendingUser('2_rt1')
assert not pending.in_db
test_helpers.assert_no_emails()
def test_post_any_blueshirt_can_record_student_media_consent():
blueshirt_mcf = srusers.user('blueshirt-mcf')
groups = blueshirt_mcf.groups()
# Sanity check
assert set(groups) == set(['mentors', 'media-consent-admin'])
params = {
"username": "******",
"password": "******",
"media_consent": 'true',
}
r, data = test_helpers.server_post("/user/student_coll1_1", params)
assert r.status == 200, (r.status, data)
u = User("student_coll1_1")
assert u.has_media_consent
ps = test_helpers.last_email()
toaddr = ps.toaddr
expected_addr = u.email
assert toaddr == expected_addr
vars = ps.template_vars
first_name = u.first_name
assert first_name == vars['first_name']
template = ps.template_name
assert template == 'ticket_available'
test_helpers.assert_load_template(template, vars)
def test_authed_blueshirt_can_see_own_students():
a = User.create_user("blueshirt", "blueshirt")
users = ["student_coll1_1", "teacher_coll1"]
results = [a.can_administrate(user) for user in users]
assert all(results)
def test_registration_email_in_use():
params = {"username":"******",
"password":"******",
"first_name":NEW_USER_FNAME,
"last_name":NEW_USER_LNAME,
"email":"*****@*****.**", # student_coll2_2
"team":"team-ABC",
"college":"college-1"}
r,data = test_helpers.server_post("/registrations", params)
assert r.status == 403
assert 'DETAILS_ALREADY_USED' in data
assert len(test_helpers.get_registrations()) == 0
try:
created = User.create_user('1_rt1')
assert False, "Should not have created user"
except:
pass
pending = PendingUser('1_rt1')
assert not pending.in_db
test_helpers.assert_no_emails()
def send_password_reset(requesting_user, userid):
user_to_update = User.create_user(userid)
if not requesting_user.can_administrate(user_to_update):
return AUTHORIZATION_DENIED
verify_code = helpers.create_verify_code(user_to_update.username,
requesting_user.username)
ppr = PendingPasswordReset(user_to_update.username)
ppr.requestor_username = requesting_user.username
ppr.verify_code = verify_code
ppr.save()
log_action('sending password reset', ppr)
url = url_for('reset_password',
username=user_to_update.username,
code=verify_code,
_external=True)
ppr.send_reset_email(
user_to_update.email,
user_to_update.first_name,
url,
"{0} {1}".format(requesting_user.first_name,
requesting_user.last_name),
)
return "{}", 202
def test_registration_bad_frist_name():
params = {"username":"******",
"password":"******",
"first_name":NEW_USER_FNAME,
"last_name":'2'+NEW_USER_LNAME,
"email":"*****@*****.**",
"team":"team-ABC",
"college":"college-1"}
r,data = test_helpers.server_post("/registrations", params)
assert r.status == 403
assert 'BAD_LAST_NAME' in data
assert len(test_helpers.get_registrations()) == 0
try:
created = User.create_user('1_rt1')
assert False, "Should not have created user"
except:
pass
pending = PendingUser('1_rt1')
assert not pending.in_db
test_helpers.assert_no_emails()
def test_registration_email_in_use():
params = {
"username": "******",
"password": "******",
"first_name": NEW_USER_FNAME,
"last_name": NEW_USER_LNAME,
"email": "*****@*****.**", # student_coll2_2
"team": "team-ABC",
"college": "college-1",
}
r, data = test_helpers.server_post("/registrations", params)
assert r.status == 403
assert "DETAILS_ALREADY_USED" in data
assert len(test_helpers.get_registrations()) == 0
try:
created = User.create_user("1_rt1")
assert False, "Should not have created user"
except:
pass
pending = PendingUser("1_rt1")
assert not pending.in_db
test_helpers.assert_no_emails()
def test_post_sets_own_password():
old_password = "******"
new_password = '******'
params = {"username":"******",
"password":old_password,
"new_password":new_password,
}
r,data = test_helpers.server_post("/user/blueshirt", params)
assert r.status == 200
assert User("blueshirt")._user.bind(new_password)
u = User("blueshirt")
u.set_password(old_password)
u.save()
def test_registration_rq_from_student():
test_helpers.delete_db()
params = {
"username": "******",
"password": "******",
"first_name": "register",
"last_name": "this.user",
"email": "*****@*****.**",
"team": "team-ABC",
"college": "college-1",
}
r, data = test_helpers.server_post("/registrations", params)
status = r.status
assert status == 403
assert "YOU_CANT_REGISTER_USERS" in data
assert len(test_helpers.get_registrations()) == 0
try:
created = User.create_user("2_rt1")
assert False, "Should not have created user"
except:
pass
pending = PendingUser("2_rt1")
assert not pending.in_db
test_helpers.assert_no_emails()
def test_college_set_in_user():
u = User.create_user('st_user1')
u.set_college(NEW_COLLEGE_NAME)
u.save()
u_colleges = u.colleges
assert set(u_colleges) == set([NEW_COLLEGE_NAME])
def clear_old_registrations():
# deliberately a larger delta than we restrict against to avoid
# accidentally removing vaild entries
activation_days = config.getint('nemesis', 'activation_days')
activation_days += 0.5
max_age = timedelta(days = activation_days)
for pu in PendingUser.ListAll():
if pu.age > max_age:
log_action('expiring registration', pu)
pu.delete()
expired = User(pu.username)
expired.delete()
inform_competitor_registration_expired(pu.email, expired)
team_leader = User(pu.teacher_username)
inform_team_lead_registration_expired(team_leader, expired)
def test_team_set_in_user():
u = User.create_user('st_user1')
u.set_team(NEW_TEAM_NAME)
u.save()
u_teams = [t.name for t in u.teams]
assert set(u_teams) == set([NEW_TEAM_NAME])
def clear_old_registrations():
# deliberately a larger delta than we restrict against to avoid
# accidentally removing vaild entries
activation_days = config.getint('nemesis', 'activation_days')
activation_days += 0.5
max_age = timedelta(days=activation_days)
for pu in PendingUser.ListAll():
if pu.age > max_age:
log_action('expiring registration', pu)
pu.delete()
expired = User(pu.username)
expired.delete()
inform_competitor_registration_expired(pu.email, expired)
team_leader = User(pu.teacher_username)
inform_team_lead_registration_expired(team_leader, expired)
def test_team_set_in_user():
u = User.create_user('st_user1')
u.set_team(NEW_TEAM_NAME)
u.save()
u_teams = [t.name for t in u.teams]
assert set(u_teams) == set([NEW_TEAM_NAME])
def test_college_set_in_user():
u = User.create_user('st_user1')
u.set_college(NEW_COLLEGE_NAME)
u.save()
u_colleges = u.colleges
assert set(u_colleges) == set([NEW_COLLEGE_NAME])
def test_activate_success():
username = '******'
rq_user = User.create_user("teacher_coll1", "facebees")
cu = User.create_new_user(rq_user, 'college-1', 'James', 'Activate')
assert cu.username == username
pu = create_pending_user(username)
pu.save()
r,data = test_helpers.server_get("/activate/" + username + "/bibble")
status = r.status
assert status == 200, data
u = User(username)
email = u.email
assert pu.email == email
teams = [t.name for t in u.teams]
assert pu.team in teams
colleges = u.colleges
assert pu.college in colleges
students = srusers.group('students').members
assert username in students
pu = PendingUser(username)
assert not pu.in_db, "registration DB entry should have been removed"
# ensure we sent the team-leader a confirmation
ps = test_helpers.last_email()
toaddr = ps.toaddr
tl_email = rq_user.email
assert toaddr == tl_email
vars = ps.template_vars
tl_name = rq_user.first_name
assert tl_name == vars['name']
first_name = cu.first_name
assert first_name == vars['au_first_name']
last_name = cu.last_name
assert last_name == vars['au_last_name']
assert username == vars['au_username']
template = ps.template_name
assert template == 'user_activated_team_leader'
def test_activate_success():
username = '******'
rq_user = User.create_user("teacher_coll1", "facebees")
cu = User.create_new_user(rq_user, 'college-1', 'James', 'Activate')
assert cu.username == username
pu = create_pending_user(username)
pu.save()
r, data = test_helpers.server_get("/activate/" + username + "/bibble")
status = r.status
assert status == 200, data
u = User(username)
email = u.email
assert pu.email == email
teams = [t.name for t in u.teams]
assert pu.team in teams
colleges = u.colleges
assert pu.college in colleges
students = srusers.group('students').members
assert username in students
pu = PendingUser(username)
assert not pu.in_db, "registration DB entry should have been removed"
# ensure we sent the team-leader a confirmation
ps = test_helpers.last_email()
toaddr = ps.toaddr
tl_email = rq_user.email
assert toaddr == tl_email
vars = ps.template_vars
tl_name = rq_user.first_name
assert tl_name == vars['name']
first_name = cu.first_name
assert first_name == vars['au_first_name']
last_name = cu.last_name
assert last_name == vars['au_last_name']
assert username == vars['au_username']
template = ps.template_name
assert template == 'user_activated_team_leader'
def test_team_leader_can_set_team_leader():
params = {"username": "******",
"password": "******",
"new_type": "team-leader",
}
r,data = test_helpers.server_post("/user/student_coll1_1", params)
assert r.status == 200
u = User("student_coll1_1")
is_teacher = u.is_teacher
# Clean up
u.make_student()
u.save()
# now assert (ensures the clean-up occurs)
assert is_teacher
def test_team_set_in_db():
u = User.create_user('st_user1')
u.set_team(NEW_TEAM_NAME)
u.save()
sru = srusers.user('st_user1')
sru_groups = sru.groups()
assert set(sru_groups) == set([NEW_TEAM_NAME, 'st_other_group'])
def test_college_set_in_db():
u = User.create_user('st_user1')
u.set_college(NEW_COLLEGE_NAME)
u.save()
sru = srusers.user('st_user1')
sru_groups = sru.groups()
assert set(sru_groups) == set([NEW_COLLEGE_NAME, 'st_other_group'])
def test_team_set_in_db():
u = User.create_user('st_user1')
u.set_team(NEW_TEAM_NAME)
u.save()
sru = srusers.user('st_user1')
sru_groups = sru.groups()
assert set(sru_groups) == set([NEW_TEAM_NAME, 'st_other_group'])
def test_post_teacher_sets_team():
old_team = "team-ABC"
new_team = "team-DFE"
params = {"username":"******",
"password":"******",
"new_team":new_team,
}
r,data = test_helpers.server_post("/user/student_coll1_1", params)
assert r.status == 200
u = User("student_coll1_1")
teams = [t.name for t in u.teams]
assert [new_team] == teams
u.set_team(old_team)
u.save()
def test_college_set_in_db():
u = User.create_user('st_user1')
u.set_college(NEW_COLLEGE_NAME)
u.save()
sru = srusers.user('st_user1')
sru_groups = sru.groups()
assert set(sru_groups) == set([NEW_COLLEGE_NAME, 'st_other_group'])
def test_verify_success():
username = "******"
old_email = User(username).email
new_email = "*****@*****.**"
setup_new_email('student_coll1_1', new_email, 'bees')
r,data = test_helpers.server_get("/verify/" + username + "/bees")
status = r.status
assert status == 200, data
u = User(username)
email = u.email
# restore the original first
u.set_email(old_email)
u.save()
assert email == new_email
def email_used(email):
if User.email_used(email):
return True
if any(pe.new_email == email for pe in PendingEmail.ListAll()):
return True
if any(pu.email == email for pu in PendingUser.ListAll()):
return True
return False
def test_make_student():
u = User.create_user('st_user1')
u.make_student()
u.save()
assert not u.is_teacher
students = srusers.group('students').members
assert 'st_user1' in students
teachers = srusers.group('teachers').members
assert 'st_user1' not in teachers
def test_details_dictionary_for_team_leader_member():
u = User.create_user("teacher_coll1", "facebees")
data = assert_college_1_details_dictionary_for(u)
expected_users = [
"teacher_coll1",
"student_coll1_1",
"student_coll1_2",
"withdrawn_student",
]
actual_users = data["users"]
assert actual_users == expected_users
def reset_password(username, code):
"""
Resets a user's password after they've clicked a link in an email we
sent them, then serves up a page for them to change their password.
Not part of the documented API.
"""
ppr = PendingPasswordReset(username)
if not ppr.in_db:
return "No such user account", 404, PLAINTEXT_HEADER
if ppr.age > timedelta(days = PASSWORD_RESET_DAYS):
return "Request not valid", 410, PLAINTEXT_HEADER
if ppr.verify_code != code:
return "Invalid verification code", 403, PLAINTEXT_HEADER
log_action('resetting user password', ppr)
from libnemesis import srusers
new_pass = srusers.users.GenPasswd()
u = User(username)
u.set_password(new_pass)
# No need to save since set_password happens immediately
ppr.delete()
html = open(PATH + "/templates/password_reset.html").read()
replacements = { 'first_name': u.first_name
, 'last_name': u.last_name
, 'password': new_pass
, 'username': username
, 'root': url_for('.index')
}
html = html.format(**replacements)
return html, 200, CSP_HEADER
def user_details(userid):
ah = AuthHelper(request)
if ah.auth_will_succeed and ah.user.can_administrate(userid):
user = User.create_user(userid)
details = user.details_dictionary_for(ah.user)
email_change_rq = PendingEmail(userid)
if email_change_rq.in_db:
new_email = email_change_rq.new_email
if new_email != details['email']:
details['new_email'] = new_email
return json.dumps(details), 200
else:
return ah.auth_error_json, 403
