Esempio n. 1
0
def users_cant_see_other_users_expenses(tester):
    """Check that the expenses are displayed only for the correct owner"""
    username, password = Helpers.create_user(tester)

    # Frank can create a category to log his expenses
    cat_name = Helpers.generate_string()
    Helpers.create_a_category(tester, category_name=cat_name, is_income=False)

    amount = random.randint(1, 90000)
    expense_date = str(date.today())
    note = Helpers.generate_string()

    # Frank enters some data
    Helpers.create_entry(tester,
                         amount,
                         category_name=cat_name,
                         note=note,
                         expense_date=expense_date,
                         is_income=False,
                         verify_creation=True)

    Helpers.logout_user(tester)

    # Guido can not see Frank's expense
    Helpers.create_user(tester)
    Helpers.visit_and_verify_expense(tester,
                                     amount=amount,
                                     category_name=cat_name,
                                     note=note,
                                     should_exist=False)
    Helpers.logout_user(tester)
Esempio n. 2
0
def test_users_cant_see_other_users_monthly_balance_entry(tester):
    # Frank can create a category to log his balance
    cat_name = Helpers.generate_string()

    Helpers.create_user(tester)
    Helpers.create_a_category(tester, category_name=cat_name, is_balance=True)
    Helpers.logout_user(tester)

    # Guido can not see Frank's balance income category
    Helpers.create_user(tester)
    Helpers.visit_and_verify_categories(tester,
                                        cat_name,
                                        is_balance=True,
                                        should_exist=False)
    Helpers.logout_user(tester)
Esempio n. 3
0
def test_different_users_can_create_categories_with_the_same_name(tester):
    # Frank can create a category to log his expenses
    cat_name = Helpers.generate_string()

    Helpers.create_user(tester)
    Helpers.create_a_category(tester, category_name=cat_name)
    Helpers.logout_user(tester)

    # Guido can create a category with the same name
    Helpers.create_user(tester)
    Helpers.create_a_category(tester,
                              category_name=cat_name,
                              midway_check=True,
                              create_check=False,
                              lack_of_error=True)
    Helpers.logout_user(tester)
Esempio n. 4
0
def test_users_can_not_see_other_users_categories(tester):
    """Check that only current user categories are returned (in json format)"""
    # Frank can create a category to log his expenses
    cat_name = Helpers.generate_string()

    Helpers.create_user(tester)
    Helpers.create_a_category(tester, category_name=cat_name)
    Helpers.logout_user(tester)

    # Guido registers to the site
    Helpers.create_user(tester)

    url = reverse('api:categories')
    # Guido has knowledge of how to force the site to display json
    secret_url = f"{tester.live_server_url}{url}?format=json&json=true'"
    tester.browser.get(secret_url)

    html = tester.browser.find_element_by_tag_name('html')
    json_res = json.loads(html.text)

    # Guido, however, can not see Frank's category
    tester.assertEqual(len(json_res), 0)
    Helpers.logout_user(tester)
Esempio n. 5
0
def test_users_cant_see_other_users_monthly_budgets(tester):
    Helpers.create_user(tester)

    # Frank creates a category to log expenses related his rent
    category_name = Helpers.generate_string()
    Helpers.create_a_category(tester, category_name)

    # Frank knows he also has to create a budget for the current month
    # ...so he proceeds to create one
    budget_date = datetime.date.today().replace(day=1)
    amount = random.randint(1, 90000)
    Helpers.create_a_monthly_budget(tester, category_name=category_name,
                                    amount=amount, date=budget_date)
    Helpers.logout_user(tester)

    # Guido can not see Frank's monthly budget
    Helpers.create_user(tester)

    Helpers.visit_and_verify_month_budget_creation(tester=tester,
                                                   category_name=category_name,
                                                   amount=amount,
                                                   date=budget_date,
                                                   should_exist=False)
    Helpers.logout_user(tester)
Esempio n. 6
0
def users_cant_create_expenses_with_other_users_categories(tester):
    """Check that the expenses can not be created with other users's categories
    """
    # Frank logs in
    Helpers.create_user(tester)

    # Frank creates multiple categories
    for _ in range(3):
        cat_name = Helpers.generate_string()
        Helpers.create_a_category(tester,
                                  category_name=cat_name,
                                  is_income=False)
        category_id = Helpers.get_category_id_from_category_name(
            tester, cat_name)

    # Frank confirm the id of the last category he created... he "has a plan"
    category_id = Helpers.get_category_id_from_category_name(tester, cat_name)

    # Frank knows some javascript, and he tries to fiddle with the form values
    # ## ES6 syntax, will work in recent (2015/2016+ versions) FF and Chromium
    js_function = 'Array.from(document.getElementsByTagName("option")).forEach(function(item) {item.value = "X"});'
    js_function = js_function.replace('X', str(category_id))
    tester.browser.execute_script(js_function)

    amount = random.randint(1, 90000)
    expense_date = str(date.today())
    note = Helpers.generate_string()

    # Frank enters some data, he wants to make sure his js does not break the
    # app
    # Frank also confirm that even after executing this js, the expense was
    # created correctly
    Helpers.create_entry(tester,
                         amount,
                         category_name=cat_name,
                         note=note,
                         expense_date=expense_date,
                         is_income=False,
                         verify_creation=True,
                         js_to_execute=js_function)

    # Franks challenges Guido to create an expense with a category he made
    # Franks share his js script with Guido (Guido does not know any js!)

    # Guido accepts to test out Frank's js and verify the app works correctly
    Helpers.create_user(tester)

    # Guido creates a category
    cat_name = Helpers.generate_string()
    Helpers.create_a_category(tester, category_name=cat_name, is_income=False)

    # Guido enters some data, and execute the js code he got from Frank
    # If the app is not checking for tampering the form values, this will fail
    Helpers.create_entry(tester,
                         amount,
                         category_name=cat_name,
                         note=note,
                         expense_date=expense_date,
                         is_income=False,
                         verify_creation=False,
                         js_to_execute=js_function)

    # Guido confirms the app is not deceived by this trivial attack
    Helpers.visit_and_verify_expense(tester,
                                     amount=amount,
                                     category_name=cat_name,
                                     note=note,
                                     should_exist=False)