Exemple #1
0
def test_delete_category_with_forums(app, authed_client):
    add_permissions(app, 'forums_view', 'forums_forums_modify')
    response = authed_client.delete('/forums/categories/1')
    check_json_response(
        response,
        'You cannot delete a forum category while it still has forums assigned to it.',
    )
Exemple #2
0
def test_route_permissions(authed_client, endpoint, method):
    db.engine.execute("DELETE FROM users_permissions")
    db.engine.execute("UPDATE user_classes SET permissions = '{}'")
    response = authed_client.open(endpoint, method=method)
    check_json_response(response,
                        'You do not have permission to access this resource.')
    assert response.status_code == 403
Exemple #3
0
def test_add_thread_note_no_permissions(app, authed_client):
    db.engine.execute(
        "DELETE FROM users_permissions WHERE permission LIKE 'forumaccess%%'")
    add_permissions(app, 'forums_threads_modify')
    response = authed_client.post('/forums/threads/1/notes',
                                  data=json.dumps({'note': 'ANotherNote'}))
    check_json_response(response, 'Invalid ForumThread id.')
Exemple #4
0
def test_edit_forum(app, authed_client):
    add_permissions(app, 'forums_view', 'forums_forums_modify')
    response = authed_client.put(
        '/forums/1',
        data=json.dumps({
            'name': 'Bite',
            'description': 'Very New Description',
            'category_id': 4,
        }),
    )
    check_json_response(
        response,
        {
            'id': 1,
            'name': 'Bite',
            'description': 'Very New Description'
        },
    )
    print(response.get_json())
    assert response.get_json()['response']['category']['id'] == 4
    forum = Forum.from_pk(1)
    assert forum.id == 1
    assert forum.name == 'Bite'
    assert forum.description == 'Very New Description'
    assert forum.category_id == 4
Exemple #5
0
def test_get_all_permissions_permission(authed_client):
    db.engine.execute("DELETE FROM users_permissions")
    db.engine.execute("UPDATE user_classes SET permissions = '{}'")
    response = authed_client.get('/permissions', query_string={'all': 'true'})
    check_json_response(response,
                        'You do not have permission to access this resource.')
    assert response.status_code == 403
Exemple #6
0
def test_users_edit_settings_others(app, authed_client):
    add_permissions(app, 'users_edit_settings', 'users_change_password',
                    'users_moderate')
    response = authed_client.put('/users/settings',
                                 query_string={'user_id': 2},
                                 data=json.dumps({}))
    check_json_response(response, 'Settings updated.', strict=True)
Exemple #7
0
def test_change_forum_permissions_failure(app, authed_client):
    db.engine.execute('DELETE FROM users_permissions')
    add_permissions(app, 'users_moderate', 'forumaccess_thread_1')
    db.engine.execute("""UPDATE user_classes
                      SET permissions = '{"forumaccess_forum_2"}'""")

    response = authed_client.put(
        '/users/1',
        data=json.dumps({
            'permissions': {
                'forumaccess_forum_2': True,
                'forumaccess_thread_1': False,
                'forumaccess_thread_4': False,
                'forumaccess_thread_2': True,
            }
        }),
    )

    check_json_response(
        response,
        'The following permissions could not be added: forumaccess_forum_2. '
        'The following permissions could not be deleted: forumaccess_thread_4.',
    )
    f_perms = UserPermission.from_user(1, prefix='forumaccess')
    assert f_perms == {'forumaccess_thread_1': True}
Exemple #8
0
def test_route_permissions(authed_client, endpoint, method):
    """Make sure all routes are properly permissioned against the unpermissioned user."""
    response = authed_client.open(endpoint, method=method)
    check_json_response(
        response, 'You do not have permission to access this resource.'
    )
    assert response.status_code == 403
Exemple #9
0
def test_delete_category(app, authed_client):
    add_permissions(app, 'forums_view', 'forums_forums_modify')
    response = authed_client.delete('/forums/categories/5')
    check_json_response(response,
                        'ForumCategory 5 (uWhatMate) has been deleted.')
    category = ForumCategory.from_pk(5, include_dead=True)
    assert category.deleted
Exemple #10
0
def test_moderate_user_not_found(app, authed_client):
    add_permissions(app, 'users_moderate')
    response = authed_client.put(
        '/users/10', data=json.dumps({'email': '*****@*****.**'})
    )
    check_json_response(response, 'User 10 does not exist.')
    assert response.status_code == 404
Exemple #11
0
def test_invalid_json(app, authed_client):
    @app.route('/test_endpoint', methods=['POST'])
    @validate_data(Schema({'test': int}))
    def test_endpoint():
        return flask.jsonify('completed')

    response = authed_client.post('/test_endpoint', data=b'not-a-json')
    check_json_response(response, 'Unable to decode data. Is it valid JSON?')
Exemple #12
0
def test_disabled_user(app, client):
    """Disabled users get disabled errors."""
    db.engine.execute("UPDATE users SET enabled = 'f' where id = 1")
    response = client.get(
        '/fake_endpoint',
        headers={'Authorization': f'Token abcdefghij{CODE_1}'},
    )
    check_json_response(response, 'Your account has been disabled.')
Exemple #13
0
def test_add_forum_nonexistent_category(app, authed_client):
    add_permissions(app, 'forums_view', 'forums_forums_modify')
    response = authed_client.post('/forums',
                                  data=json.dumps({
                                      'name': 'New Forum',
                                      'category_id': 100
                                  }))
    check_json_response(response, 'Invalid ForumCategory id.')
Exemple #14
0
def test_view_api_key_cached(app, authed_client):
    add_permissions(app, ApikeyPermissions.VIEW, ApikeyPermissions.VIEW_OTHERS)
    api_key = APIKey.from_pk('1234567890', include_dead=True)
    cache_key = cache.cache_model(api_key, timeout=60)

    response = authed_client.get(f'/api_keys/1234567890')
    check_json_response(response, {'hash': '1234567890', 'revoked': True})
    assert cache.ttl(cache_key) < 61
Exemple #15
0
def test_view_empty_api_keys(app, authed_client):
    add_permissions(app, ApikeyPermissions.VIEW, ApikeyPermissions.VIEW_OTHERS)
    response = authed_client.get('/api_keys',
                                 query_string={
                                     'user_id': 3,
                                     'include_dead': False
                                 })
    check_json_response(response, [], list_=True, strict=True)
Exemple #16
0
def test_access_other_user_but_same_user(app, authed_client):
    @app.route('/test_access')
    @access_other_user('non-existent-perm')
    def test_access(user):
        assert user.id == 1
        return flask.jsonify('Endpoint reached.')

    response = authed_client.get('/test_access', query_string={'user_id': 1})
    check_json_response(response, 'Endpoint reached.')
Exemple #17
0
def test_access_other_user(app, authed_client):
    @app.route('/test_access')
    @access_other_user('sample_perm_one')
    def test_access(user):
        assert user.id == 2
        return flask.jsonify('Endpoint reached.')

    response = authed_client.get('/test_access', query_string={'user_id': 2})
    check_json_response(response, 'Endpoint reached.')
Exemple #18
0
def test_access_other_user_fail(app, authed_client):
    @app.route('/test_access')
    @access_other_user('nonexistent_perm')
    def test_access_user(user):
        return flask.jsonify('Endpoint reached.')

    response = authed_client.get('/test_access', query_string={'user_id': 2})
    check_json_response(response,
                        'You do not have permission to access this resource.')
Exemple #19
0
def test_int_overflow(app, authed_client):
    add_permissions(app, 'users_moderate')
    response = authed_client.put(
        '/users/1', data=json.dumps({'invites': 99999999999999999999999999})
    )
    check_json_response(
        response,
        'Invalid data: value must be at most 2147483648 (key "invites")',
    )
Exemple #20
0
def test_add_thread_nonexistent_category(app, authed_client):
    add_permissions(app, 'forums_view', 'forums_threads_create')
    response = authed_client.post(
        '/forums/threads',
        data=json.dumps(
            {'topic': 'New Forum', 'forum_id': 100, 'contents': 'aa'}
        ),
    )
    check_json_response(response, 'Invalid Forum id.')
Exemple #21
0
def test_405_exception(app, client):
    """405 exception should return response in JSON."""

    @app.route('/exception_causer', methods=['POST'])
    def exception_causer():
        return 'never hit this'

    response = client.get('/exception_causer')
    check_json_response(response, 'Method not allowed for this resource.')
Exemple #22
0
def test_view_forum(app, authed_client):
    add_permissions(app, 'forums_view')
    response = authed_client.get('/forums/2')
    check_json_response(response, {
        'id': 2,
        'name': 'Bugs',
        'description': 'Squishy Squash'
    })
    assert response.status_code == 200
Exemple #23
0
def test_assert_permission(app, authed_client, permission, masquerade,
                           expected):
    @app.route('/test_assert_perm')
    def assert_perm():
        assert_permission(permission, masquerade=masquerade)
        return flask.jsonify('Endpoint reached.')

    response = authed_client.get('/test_assert_perm')
    check_json_response(response, expected)
Exemple #24
0
def test_delete_forum(app, authed_client):
    add_permissions(app, 'forums_view', 'forums_forums_modify')
    sub_thread = ForumThread.from_pk(
        5)  # Cache - thread isn't deleted, belongs to category
    response = authed_client.delete('/forums/5')
    check_json_response(response, 'Forum 5 (Yacht Funding) has been deleted.')
    forum = ForumThread.from_pk(5, include_dead=True)
    assert forum.deleted
    sub_thread = ForumThread.from_pk(5, include_dead=True)
    assert sub_thread.deleted
Exemple #25
0
def test_change_permissions_restricted(app, authed_client):
    """Basic but not advanced permissions privileges."""
    add_permissions(app, 'users_moderate')
    response = authed_client.put(
        '/users/1', data=json.dumps({'permissions': {'users_moderate': False}})
    )
    check_json_response(
        response,
        'Invalid data: users_moderate is not a valid permission (key "permissions")',
    )
Exemple #26
0
def test_add_post_nonexistent_thread(app, authed_client):
    add_permissions(app, 'forums_view', 'forums_posts_create')
    response = authed_client.post(
        '/forums/posts',
        data=json.dumps({
            'thread_id': 100,
            'contents': 'New Post'
        }),
    )
    check_json_response(response, 'ForumThread 100 does not exist.')
Exemple #27
0
def test_add_post_locked(app, authed_client):
    add_permissions(app, 'forums_view', 'forums_posts_create')
    response = authed_client.post(
        '/forums/posts',
        data=json.dumps({
            'thread_id': 3,
            'contents': 'hahe new forum post'
        }),
    )
    check_json_response(response, 'You cannot post in a locked thread.')
Exemple #28
0
def test_view_poll(app, authed_client):
    add_permissions(app, 'forums_view')
    response = authed_client.get('/polls/1')
    check_json_response(response, {
        'id': 1,
        'featured': False,
        'question': 'Question 1'
    })
    assert response.status_code == 200
    assert len(response.get_json()['response']['choices']) == 3
Exemple #29
0
def test_403_masquerade_no_auth(app, client):
    """Masqueraded 403 endpoints should throw 401s without authentication."""

    @app.route('/test_endpoint')
    @require_permission('test_perm', masquerade=True)
    def test_session():
        return flask.jsonify('completed')

    response = client.get('/test_endpoint')
    check_json_response(response, 'Invalid authorization.')
Exemple #30
0
def test_500_exception(app, client):
    """Server error should return response in JSON."""
    app.debug = False

    @app.route('/exception_causer')
    def exception_causer():
        raise ValueError('Because I can!')

    response = client.get('/exception_causer')
    check_json_response(response, 'Something went wrong with your request.')