def test_can_manage_employees_from_same_company(method, clean_app):
me = factories.EmployeeFactory(company=factories.CompanyFactory())
colleague = factories.EmployeeFactory(company=me.company)
flask.g.user = me
assert has_privilege(method=method,
resource="employee",
employee_id=colleague.id)
def test_manager_can_access_employee():
my_company = factories.CompanyFactory()
me = factories.EmployeeFactory(company=my_company) # set role to manager
flask.g.user = me
other = factories.EmployeeFactory(company=my_company) # set role to master
assert is_allowed(method=Method.READ,
resource="employee",
employee_id=other.id)
def test_can_access_same_company_employees(app, db_session):
company = factories.CompanyFactory()
manager_role = factories.RoleFactory()
me = factories.EmployeeFactory(company=company, role=manager_role)
colleague = factories.EmployeeFactory(company=company, role=manager_role)
flask.g.user = me
assert has_privilege(
method=Method.READ, resource="employee", employee_id=colleague.id)
def test_owner_can_access_director():
my_company = factories.CompanyFactory()
me = factories.EmployeeFactory(company=my_company) # set role to owner
flask.g.user = me
# set role to director
other = factories.EmployeeFactory(company=my_company)
assert is_allowed(method=Method.READ,
resource="employee",
employee_id=other.id)
def test_administrator_can_access_director_from_other_company():
my_company = factories.CompanyFactory()
# set role to administrator
me = factories.EmployeeFactory(company=my_company)
flask.g.user = me
other_company = factories.CompanyFactory()
# set role to director
other = factories.EmployeeFactory(company=other_company)
assert is_allowed(method=Method.READ,
resource="employee",
employee_id=other.id)
def test_manager_cant_access_director(method, app, db_session):
manager = factories.EmployeeFactory(role=factories.RoleFactory(
role_type=RoleType.Manager))
director = factories.EmployeeFactory(role=factories.RoleFactory(
role_type=RoleType.Director))
master = factories.EmployeeFactory(role=factories.RoleFactory(
role_type=RoleType.Master))
flask.g.user = manager
assert not has_privilege(
method=method, resource="employee", employee_id=director.id)
assert has_privilege(method=method,
resource="employee",
employee_id=master.id)
def test_delete(client):
company = factories.CompanyFactory()
intern = factories.EmployeeFactory(
company=company, role_id=Role(role_type=RoleType.Intern.name).id)
boss = factories.EmployeeFactory(
company=company, role_id=Role(role_type=RoleType.Manager.name).id)
with client.session_transaction() as session:
session["user_id"] = boss.id
intern_id = intern.id
response = client.post(url_for("employee.delete", id=intern_id))
assert Employee.query.count() == 1
assert Employee.query.get(intern_id) is None
assert response.status_code == HTTPStatus.OK
def test_cannot_access_other_company_employees(method, app, db_session):
"""
Even though the authenticated user is a director, they cannot access a
manager's profile because the manager works for another company.
"""
director = factories.EmployeeFactory(
company=factories.CompanyFactory(),
role=factories.RoleFactory(name="Director"))
manager = factories.EmployeeFactory(
company=factories.CompanyFactory(),
role=factories.RoleFactory(name="Manager"))
flask.g.user = director
assert not has_privilege(
method=Method.READ, resource="employee", employee_id=manager.id)
def login(self, username="******", password="******"):
employee = factories.EmployeeFactory(
company=factories.CompanyFactory(), )
with self._client.session_transaction() as session:
session["user_id"] = employee.id
session["logged_in"] = True
return True
def test_cannot_access_list(client, db_session):
""" Show 403 - Forbidden when user cannot access employee list """
company = factories.CompanyFactory()
manager_role = factories.RoleFactory()
employee = factories.EmployeeFactory(company=company, role=manager_role)
response = client.get(url_for("employee.list"))
assert response.status_code == HTTPStatus.FORBIDDEN
def test_insert_employee(db_session):
"""Integration test for adding and selecting Employee"""
company = factories.CompanyFactory()
manager_role = factories.RoleFactory()
employee = factories.EmployeeFactory(company=company, role=manager_role)
row = db_session.query(Employee).get(employee.id)
assert row.username == employee.username
def test_list(client, db_session):
""" List all employees """
company = factories.CompanyFactory()
manager_role = factories.RoleFactory()
employee = factories.EmployeeFactory(company=company, role=manager_role)
response = client.get(url_for("employee.list"))
assert response.status_code == HTTPStatus.OK
assert str.encode(employee.username) in response.data
def test_can_access_to_emloyee_resource(method, app):
""" Check that user can access only to own employee account """
employee = factories.EmployeeFactory()
flask.g.user = employee
assert has_privilege(method=method,
resource="employee",
employee_id=employee.id)
assert not has_privilege(
method=method, resource="employee", employee_id=-1)
def test_edit(client):
employee = factories.EmployeeFactory(comment="No comments")
persisted = Employee.query.get(employee.id)
assert persisted.comment == "No comments"
client.post(url_for('employee.edit', id=employee.id),
data={"comment": "One comment"})
persisted = Employee.query.get(employee.id)
assert persisted.comment == "One comment"
"""fails"""
def test_can_access_subalterns(method, app, db_session):
"""
A director of a company should be able to access
the profiles of employees with a lower role.
"""
company = factories.CompanyFactory()
director = factories.EmployeeFactory(
company=company, role=factories.RoleFactory(name="Director"))
master = factories.EmployeeFactory(
company=company, role=factories.RoleFactory(name="Master"))
manager = factories.EmployeeFactory(
company=company, role=factories.RoleFactory(name="Manager"))
intern = factories.EmployeeFactory(
company=company, role=factories.RoleFactory(name="Intern"))
flask.g.user = director
assert has_privilege(resource="employee", employee_id=manager.id)
assert has_privilege(resource="employee", employee_id=master.id)
assert has_privilege(resource="employee", employee_id=intern.id)
def test_forgot_password_post(client):
employee = factories.EmployeeFactory(email="*****@*****.**")
response = client.post(flask.url_for("auth.forgot_password"),
data={"email": employee.email})
decoded = response.data.decode("utf-8")
assert "<h1>Forgot password</h1>" in decoded
assert (f"We've sent an e-mail to mrg***@yahoo.com with your new password."
in decoded)
assert "Please use it to log in and change it." in decoded
assert response.status_code == HTTPStatus.OK
def test_forgot_password_routine(client):
employee = factories.EmployeeFactory(username="******",
password=auth_hash("pass"),
email="*****@*****.**")
error = login(employee.username, "pass")
flask.session.clear()
client.post(flask.url_for("auth.forgot_password"),
data={"email": employee.email})
error = login(employee.username, "pass")
assert error
assert not flask.session.get("user_id")
def test_list(client):
""" Test list is okay """
company = factories.CompanyFactory()
employee = factories.EmployeeFactory(company=company)
factories.ItemFactory(employee_id=employee.id, company=company)
response = client.get("/items/")
assert "<article class=\"item\"><header><div><h1>1</h1></div>" in response.data
assert "<article class=\"item\"><header><div><h1>2</h1></div>" in response.data
assert "<article class=\"item\"><header><div><h1>3</h1></div>" in response.data
assert "<article class=\"item\"><header><div><h1>4</h1></div>" in response.data
assert response.status_code == HTTPStatus.OK
def test_company_endpoints(client):
employee = factories.EmployeeFactory(
company=factories.CompanyFactory()
)
with client.session_transaction() as session:
session["user_id"] = employee.id
url = flask.url_for('companies.api', company_id=employee.company_id)
assert client.get(url).status_code == 200
assert client.put(url).status_code == 200
assert client.delete(url).status_code == 204
def test_activate_authenticated(client):
"""
Tests if authenticated POST to activate returns correct screen
"""
employee = factories.EmployeeFactory(company=factories.CompanyFactory(),
account_status=False)
with client.session_transaction() as session:
session["logged_in"] = True
session["user_id"] = employee.id
response = client.post("/auth/activate")
assert b"<h1>Successfully activated your account.</h1>" in response.data
assert Employee.query.get(employee.id).account_status
assert response.status_code == HTTPStatus.OK
def test_list(client):
""" Test list is okay """
employee = factories.EmployeeFactory()
factories.ItemFactory(name="1")
factories.ItemFactory(name="2")
factories.ItemFactory(name="3")
flask.g.user = employee
with client.session_transaction() as session:
session["user_id"] = employee.id
response = client.get("/items/")
assert b"<article class=\"item\"><header><div><h1>1</h1></div>" in response.data
assert b"<article class=\"item\"><header><div><h1>2</h1></div>" in response.data
assert b"<article class=\"item\"><header><div><h1>3</h1></div>" in response.data
assert response.status_code == HTTPStatus.OK
def test_activate_authenticated(client):
"""
Tests if authenticated POST to activate returns correct screen
@todo #385:30min Inject user into session in the test below. Test is broken
because we do not set user in session and then auth/views.py does not
redirect to correct page. Fix this behavior and uncomment this test.
"""
employee = factories.EmployeeFactory(company=factories.CompanyFactory(),
account_status=False)
with client.session_transaction() as session:
session["user_id"] = employee.id
g.user = employee
response = client.post("/auth/activate")
assert b"<h1>Successfully activated your account.</h1>" in response.data
assert employee.account_status
assert response.status_code == HTTPStatus.OK
def test_list(client):
""" Test list is okay """
role = factories.RoleFactory(name=RoleType.Intern.name)
company = factories.CompanyFactory()
employee = factories.EmployeeFactory(company=company, role_id=role.id)
location = factories.LocationFactory(company=company)
floor = factories.FloorFactory(location=location)
with client.session_transaction() as session:
session["user_id"] = employee.id
g.user = employee
factories.TableFactory(floor_id=floor.id, name="Table 01")
factories.TableFactory(floor_id=floor.id, name="Table 02")
factories.TableFactory(floor_id=floor.id, name="Table 03")
response = client.get(url_for("/tables/"))
assert response.status_code == HTTPStatus.OK
assert b"<div><h1>Table 01</h1></div>" in response.data
assert b"<div><h1>Table 02</h1></div>" in response.data
assert b"<div><h1>Table 03</h1></div>" in response.data
assert b"<div><h1>Table " in response.data.count == 3
def test_create(client):
""" Test create is okay """
company = factories.CompanyFactory()
employee = factories.EmployeeFactory(company=company)
item_name = "Yellow Fedora"
item_comment = "A yellow fedora that belonged to a hero from a movie"
item = {
"name": item_name,
"comment": item_comment,
"company_id": company.id,
"employee_id": employee.id,
}
create_response = client.post("/items/create", data=item)
database_item = Item.query.filter_by(name="Yellow Fedora").first()
assert create_response.status_code == HTTPStatus.OK
assert database_item is not None
assert database_item.name == item_name
assert database_item.comment == item_comment
assert database_item.company_id == company.id
assert database_item.employee_id == employee.id
def test_cannot_delete(client, db_session):
""" Show 403 - Forbidden when user cannot access employee list """
employee = factories.EmployeeFactory()
response = client.post(url_for('employee.delete', id=employee.id))
assert response.status_code == HTTPStatus.FORBIDDEN
def test_delete(client):
employee = factories.EmployeeFactory()
response = client.post(url_for('employee.delete', id=employee.id))
assert response.status_code == HTTPStatus.FOUND
assert not Employee.query.count()
def test_can_not_manage_employees_from_different_company(method, clean_app):
me = factories.EmployeeFactory(company=factories.CompanyFactory())
someone = factories.EmployeeFactory(company=factories.CompanyFactory())
flask.g.user = me
assert not has_privilege(
method=method, resource="employee", employee_id=someone.id)
def test_can_access_his_profile(clean_app):
flask.g.user = factories.EmployeeFactory()
assert has_privilege(method=Method.READ,
resource="employee",
employee_id=flask.g.user.id)
