def test_one_user_group_read_only(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
g = Group(name='usergroup')
g.set_users([u.id])
g.save()
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
f.grant('Read', group=g)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
def test_one_user_group_read_only(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
g = Group(name='usergroup')
g.set_users([u.id])
g.save()
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
f.grant('Read', group=g)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
def test_one_user_group_write_and_publish(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
g = Group(name='usergroup')
g.save()
g.set_users([u.id])
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
f.grant('Write', group=g)
f.grant('Publish', group=g)
f = Feed.get(id=f.id)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [g])
self.assertEqual(f.publisher_groups(), [g])
self.assertTrue(f.user_can_write(u))
self.assertTrue(f.user_can_publish(u))
def test_admin_can_delete_user(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 200)
with self.assertRaises(User.DoesNotExist):
User.get(id=self.user2.id)
def test_admin_can_delete_user(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 200)
with self.assertRaises(User.DoesNotExist):
User.get(id=self.user2.id)
def test_one_user_group_write_and_publish(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
g = Group(name='usergroup')
g.save()
g.set_users([u.id])
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
f.grant('Write', group=g)
f.grant('Publish', group=g)
f = Feed.get(id=f.id)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [g])
self.assertEqual(f.publisher_groups(), [g])
self.assertTrue(f.user_can_write(u))
self.assertTrue(f.user_can_publish(u))
def test_user_with_no_perms(self):
u = User(passwordhash='123')
f = Feed()
u.save()
f.save()
self.assertEqual(u.writeable_feeds(), [])
def test_user_with_no_perms(self):
u = User(passwordhash='123')
f = Feed()
u.save()
f.save()
self.assertEqual(u.writeable_feeds(), [])
def setUp(self):
super(DeletingUsers, self).setUp()
self.user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
self.user2.set_password(USERPASS)
self.user2.save()
def test_admin_can_create_user(self):
# should not yet exist:
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS)
self.assertEqual(resp.status_code, 200)
User.get(loginname="user2")
def test_user_with_one_feed(self):
u = User(passwordhash='123')
f = Feed()
u.save()
f.save()
f.grant('Write', user=u)
self.assertEqual(u.writeable_feeds(), [f])
def test_admin_needs_password_to_create_user(self):
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request()
self.assertIn("You need to enter your current password", resp.data)
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
def test_user_with_one_feed(self):
u = User(passwordhash='123')
f = Feed()
u.save()
f.save()
f.grant('Write', user=u)
self.assertEqual(u.writeable_feeds(), [f])
def test_admin_can_create_user(self):
# should not yet exist:
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS)
self.assertEqual(resp.status_code, 200)
User.get(loginname="user2")
def test_admin_needs_password_to_create_user(self):
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request()
self.assertIn("You need to enter your current password", resp.data)
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
def feedpage(feedid):
''' the back end settings for one feed. '''
try:
feed = Feed.get(id=feedid)
user = user_session.get_user()
except user_session.NotLoggedIn:
user = User()
except:
flash('invalid feed id! (' + str(feedid) + ')')
return redirect(url_for('feeds'))
if request.method == 'POST':
if not user_session.logged_in():
flash("You're not logged in!")
return redirect(url_for('feeds'))
if not user.is_admin:
flash('Sorry! Only Admins can change these details.')
return redirect(request.referrer)
action = request.form.get('action', 'none')
if action == 'edit':
feed.name = request.form.get('title', feed.name).strip()
inlist = request.form.getlist
feed.post_types = ', '.join(inlist('post_types'))
feed.set_authors(by_id(User, inlist('authors')))
feed.set_publishers(by_id(User, inlist('publishers')))
feed.set_author_groups(by_id(Group, inlist('author_groups')))
feed.set_publisher_groups(by_id(Group, inlist('publisher_groups')))
feed.save()
flash('Saved')
elif action == 'delete':
for post in feed.posts:
post_type_module = post_types.load(post.type)
delete_post_and_run_callback(post, post_type_module)
feed.delete_instance(True, True) # cascade/recursive delete.
flash('Deleted')
return redirect(url_for('feeds'))
return render_template('feed.html',
feed=feed,
user=user,
all_posttypes=post_types.types(),
allusers=User.select(),
allgroups=Group.select()
)
def test_new_user_passwords_must_match(self):
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='******',
conf_newpass='******')
self.assertIn("Passwords don't match", resp.data)
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
def test_new_user_passwords_must_match(self):
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='******',
conf_newpass='******')
self.assertIn("Passwords don't match", resp.data)
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
def test_admin_can_unset_admin(self):
self.assertFalse(self.user.is_admin)
self.user.is_admin = True
self.user.save()
usernow = User.get(id=self.user.id)
self.assertTrue(usernow.is_admin)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_update_request(userid=self.user.id, is_admin=False)
usernow = User.get(id=self.user.id)
self.assertFalse(usernow.is_admin)
def test_admin_can_unset_admin(self):
self.assertFalse(self.user.is_admin)
self.user.is_admin = True
self.user.save()
usernow = User.get(id=self.user.id)
self.assertTrue(usernow.is_admin)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_update_request(userid=self.user.id, is_admin=False)
usernow = User.get(id=self.user.id)
self.assertFalse(usernow.is_admin)
def test_cannot_have_empty_password(self):
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='',
conf_newpass='')
self.assertIn("Cannot Save", resp.data)
self.assertIn("passwordhash", resp.data)
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
def test_cannot_have_empty_password(self):
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='',
conf_newpass='')
self.assertIn("Cannot Save", resp.data)
self.assertIn("passwordhash", resp.data)
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
def setUp(self):
super(BasicUsersTestCase, self).setUp()
self.user = User(loginname=USERNAME,
emailaddress='*****@*****.**',
is_admin=False)
self.user.set_password(USERPASS)
self.user.save()
self.admin = User(loginname=ADMINNAME,
emailaddress='*****@*****.**',
is_admin=True)
self.admin.set_password(ADMINPASS)
self.admin.save()
def test_user_with_one_feed_via_group(self):
u = User(passwordhash='123')
g = Group(name='group_with_a_name')
f = Feed()
u.save()
f.save()
g.save()
g.set_users([u.id])
f.grant('Write', group=g)
self.assertEqual(u.writeable_feeds(), [f])
def setUp(self):
super(BasicUsersTestCase, self).setUp()
self.user = User(loginname=USERNAME,
emailaddress='*****@*****.**',
is_admin=False)
self.user.set_password(USERPASS)
self.user.save()
self.admin = User(loginname=ADMINNAME,
emailaddress='*****@*****.**',
is_admin=True)
self.admin.set_password(ADMINPASS)
self.admin.save()
def test_user_with_one_feed_via_group(self):
u = User(passwordhash='123')
g = Group(name='group_with_a_name')
f = Feed()
u.save()
f.save()
g.save()
g.set_users([u.id])
f.grant('Write', group=g)
self.assertEqual(u.writeable_feeds(), [f])
def test_admin_can_make_admin_with_on(self):
self.assertFalse(self.user.is_admin)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_update_request(userid=self.user.id, is_admin="on")
usernow = User.get(id=self.user.id)
self.assertTrue(usernow.is_admin)
def test_one_user_publish(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
f.grant('Publish', user=u)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [u])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertTrue(f.user_can_publish(u))
def group(groupid):
''' edit one user group. '''
try:
thisgroup = Group.get(id=groupid)
except:
flash('Invalid group ID')
return redirect(request.referrer if request.referrer else '/')
if request.method == 'POST':
if request.form.get('action', 'none') == 'delete':
UserGroup.delete().where(UserGroup.group == thisgroup).execute()
thisgroup.delete_instance()
flash('group:'+ thisgroup.name +' deleted.')
return redirect(url_for('users_and_groups'))
if request.form.get('action', 'none') == 'update':
thisgroup.name = request.form.get('groupname', thisgroup.name)
thisgroup.save()
groupusers = request.form.getlist('groupusers')
thisgroup.set_users(groupusers)
flash('saved')
return render_template('group.html', group=thisgroup, allusers=User.select())
def posts():
''' (HTML) list of ALL posts. (also deletes broken posts, if error) '''
try:
user = user_session.get_user()
except user_session.NotLoggedIn:
user = User()
try:
if user.is_admin:
return render_template('posts.html',
posts=Post.select(),
user=user)
else:
return render_template('posts.html',
posts=Post.select() \
.where(Post.status == 0), user=user)
except Feed.DoesNotExist:
# Ah. Database inconsistancy! Not good, lah.
ps = Post.raw('select post.id from post'
' left join feed on feed.id = post.feed_id'
' where feed.id is null;')
for p in ps:
p.delete_instance()
flash('Cleaned up old posts...')
if user.is_admin:
return render_template('posts.html', posts=Post.select(), user=user)
else:
return render_template('posts.html',
posts=Post.select()\
.where(Post.status == 0), user=user)
def test_admin_can_make_admin_with_on(self):
self.assertFalse(self.user.is_admin)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_update_request(userid=self.user.id, is_admin="on")
usernow = User.get(id=self.user.id)
self.assertTrue(usernow.is_admin)
def test_one_user_publish(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
f.grant('Publish', user=u)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [u])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertTrue(f.user_can_publish(u))
def group(groupid):
''' edit one user group. '''
try:
thisgroup = Group.get(id=groupid)
except:
flash('Invalid group ID')
return redirect(request.referrer if request.referrer else '/')
if request.method == 'POST':
if request.form.get('action', 'none') == 'delete':
UserGroup.delete().where(UserGroup.group == thisgroup).execute()
thisgroup.delete_instance()
flash('group:' + thisgroup.name + ' deleted.')
return redirect(url_for('users_and_groups'))
if request.form.get('action', 'none') == 'update':
thisgroup.name = request.form.get('groupname', thisgroup.name)
thisgroup.save()
groupusers = request.form.getlist('groupusers')
thisgroup.set_users(groupusers)
flash('saved')
return render_template('group.html',
group=thisgroup,
allusers=User.select())
def setUp(self):
super(DeletingUsers, self).setUp()
self.user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
self.user2.set_password(USERPASS)
self.user2.save()
def test_normal_user_cannot_unset_admin(self):
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=self.admin.id, is_admin=False)
self.assertEqual(resp.status_code, 403)
adminnow = User.get(id=self.admin.id)
self.assertEqual(adminnow.is_admin, True)
def test_emailaddress_must_be_valid(self):
self.login(USERNAME, USERPASS)
resp = self.post_update_request(emailaddress='BANANA!!!!')
self.assertIn('not a valid emailaddress', resp.data)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.emailaddress, '*****@*****.**')
def test_normal_user_cannot_unset_admin(self):
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=self.admin.id, is_admin=False)
self.assertEqual(resp.status_code, 403)
adminnow = User.get(id=self.admin.id)
self.assertEqual(adminnow.is_admin, True)
def test_emailaddress_must_be_valid(self):
self.login(USERNAME, USERPASS)
resp = self.post_update_request(emailaddress='BANANA!!!!')
self.assertIn('not a valid emailaddress', resp.data)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.emailaddress, '*****@*****.**')
def test_cannot_change_other_users_password_even_with_their_currpass(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=user2.id),
data={
"action": "update",
"newpass": "******",
"conf_newpass": "******",
"currpass": "******"
},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
self.assertEquals(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.passwordhash, user2.passwordhash)
def test_cannot_set_own_groups(self):
g1 = self.create_group('g1')
self.assertEqual(self.user.groups(), [])
self.login(USERNAME, USERPASS)
self.post_update_request(userid=self.user.id, groups=[g1.id])
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.groups(), [])
def test_cannot_set_own_groups(self):
g1 = self.create_group('g1')
self.assertEqual(self.user.groups(), [])
self.login(USERNAME, USERPASS)
self.post_update_request(userid=self.user.id, groups=[g1.id])
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.groups(), [])
def test_admin_can_set_groups(self):
g1 = self.create_group('g1')
self.assertEqual(self.user.groups(), [])
self.login(ADMINNAME, ADMINPASS)
self.post_update_request(userid=self.user.id, groups=[g1.id])
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.groups(), [g1])
def test_admin_can_set_groups(self):
g1 = self.create_group('g1')
self.assertEqual(self.user.groups(), [])
self.login(ADMINNAME, ADMINPASS)
self.post_update_request(userid=self.user.id, groups=[g1.id])
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.groups(), [g1])
def feedpage(feedid):
''' the back end settings for one feed. '''
try:
feed = Feed.get(id=feedid)
user = user_session.get_user()
except user_session.NotLoggedIn:
user = User()
except:
flash('invalid feed id! (' + str(feedid) + ')')
return redirect(url_for('feeds'))
if request.method == 'POST':
if not user_session.logged_in():
flash("You're not logged in!")
return redirect(url_for('feeds'))
if not user.is_admin:
flash('Sorry! Only Admins can change these details.')
return redirect(request.referrer)
action = request.form.get('action', 'none')
if action == 'edit':
feed.name = request.form.get('title', feed.name).strip()
inlist = request.form.getlist
feed.post_types = ', '.join(inlist('post_types'))
feed.set_authors(by_id(User, inlist('authors')))
feed.set_publishers(by_id(User, inlist('publishers')))
feed.set_author_groups(by_id(Group, inlist('author_groups')))
feed.set_publisher_groups(by_id(Group, inlist('publisher_groups')))
feed.save()
flash('Saved')
elif action == 'delete':
for post in feed.posts:
post_type_module = post_types.load(post.type)
delete_post_and_run_callback(post, post_type_module)
feed.delete_instance(True, True) # cascade/recursive delete.
flash('Deleted')
return redirect(url_for('feeds'))
return render_template('feed.html',
feed=feed,
user=user,
all_posttypes=post_types.types(),
allusers=User.select(),
allgroups=Group.select()
)
def index():
''' main front page / dashboard / index. '''
try:
user = user_session.get_user()
except user_session.NotLoggedIn as e:
user = User()
if not user:
user = User()
publishable_feeds = user.publishable_feeds()
posts_to_publish = Post.select()\
.where((Post.published==False) &
(Post.feed << publishable_feeds))
screens = Screen.select()
aliases = config_var('screens.aliases', [])
for alias in aliases:
for screen in screens:
if screen.urlname == alias['screen_name']:
alias['screen'] = screen
break
else:
alias['screen'] = None
return render_template('dashboard.html',
aliases=aliases,
feeds=Feed.select(),
publishable_feeds=publishable_feeds,
posts=Post.select().where(Post.author == user)\
.order_by(Post.write_date.desc())\
.limit(15),
posts_to_publish=posts_to_publish,
screens=screens,
user=user)
def index():
''' main front page / dashboard / index. '''
try:
user = user_session.get_user()
except user_session.NotLoggedIn:
user = User()
if not user:
user = User()
publishable_feeds = user.publishable_feeds()
posts_to_publish = Post.select()\
.where((Post.published == False) &
(Post.feed << publishable_feeds))
screens = Screen.select()
aliases = config_var('screens.aliases', [])
for alias in aliases:
for screen in screens:
if screen.urlname == alias['screen_name']:
alias['screen'] = screen
break
else:
alias['screen'] = None
return render_template('dashboard.html',
aliases=aliases,
feeds=Feed.select(),
publishable_feeds=publishable_feeds,
posts=Post.select().where(Post.author == user)\
.order_by(Post.write_date.desc())\
.limit(15),
posts_to_publish=posts_to_publish,
screens=screens,
user=user)
def test_logged_out_cannot_set_password(self):
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.user.id),
data={"action":"update",
"newpass": "******",
"conf_newpass": "******"},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
# and make sure the password didn't get changed!
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.passwordhash, self.user.passwordhash)
def test_admin_can_change_own_password(self):
self.login(ADMINNAME, ADMINPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.admin.id),
data={"action":"update",
"newpass": "******",
"currpass": ADMINPASS,
"conf_newpass": "******"},
follow_redirects=True)
self.assertIn("Password changed", resp.data)
usernow = User.get(id=self.admin.id)
self.assertNotEqual(usernow.passwordhash, self.admin.passwordhash)
def test_cannot_change_password_without_current_password(self):
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.user.id),
data={"action":"update",
"newpass": "******",
"conf_newpass": "******"},
follow_redirects=True)
self.assertNotIn("Password changed", resp.data)
self.assertIn("You need to enter your current password", resp.data)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.passwordhash, self.user.passwordhash)
def test_logged_out_cannot_set_password(self):
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.user.id),
data={
"action": "update",
"newpass": "******",
"conf_newpass": "******"
},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
# and make sure the password didn't get changed!
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.passwordhash, self.user.passwordhash)
def test_cannot_change_password_with_differing_inputs(self):
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.user.id),
data={"action":"update",
"newpass": "******",
"conf_newpass": "******",
"currpass": USERPASS},
follow_redirects=True)
self.assertNotIn("Password changed", resp.data)
self.assertIn("Passwords don't match", resp.data)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.passwordhash, self.user.passwordhash)
def test_normal_user_cannot_set_other_to_admin(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=user2.id, is_admin=True)
self.assertEqual(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.is_admin, False)
def users_and_groups():
''' list of all users and groups (HTML page). '''
if request.method == 'POST':
action = request.form.get('action', 'creategroup')
if action == 'creategroup':
if not request.form.get('name', '').strip():
flash("I'm not making you an un-named group!")
return redirect(url_for('users_and_groups'))
Group.create(name=request.form.get('name', 'blank').strip())
return render_template('users_and_groups.html',
users=User.select(),
groups=Group.select())
def test_admin_can_change_own_password(self):
self.login(ADMINNAME, ADMINPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.admin.id),
data={
"action": "update",
"newpass": "******",
"currpass": ADMINPASS,
"conf_newpass": "******"
},
follow_redirects=True)
self.assertIn("Password changed", resp.data)
usernow = User.get(id=self.admin.id)
self.assertNotEqual(usernow.passwordhash, self.admin.passwordhash)
def test_cannot_change_password_without_current_password(self):
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.user.id),
data={
"action": "update",
"newpass": "******",
"conf_newpass": "******"
},
follow_redirects=True)
self.assertNotIn("Password changed", resp.data)
self.assertIn("You need to enter your current password", resp.data)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.passwordhash, self.user.passwordhash)
def users_and_groups():
''' list of all users and groups (HTML page). '''
if request.method == 'POST':
action = request.form.get('action', 'creategroup')
if action == 'creategroup':
if not request.form.get('name', '').strip():
flash("I'm not making you an un-named group!")
return redirect(url_for('users_and_groups'))
Group.create(name=request.form.get('name', 'blank').strip())
return render_template('users_and_groups.html',
users=User.select(),
groups=Group.select())
def test_cannot_change_password_with_differing_inputs(self):
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.user.id),
data={
"action": "update",
"newpass": "******",
"conf_newpass": "******",
"currpass": USERPASS
},
follow_redirects=True)
self.assertNotIn("Password changed", resp.data)
self.assertIn("Passwords don't match", resp.data)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.passwordhash, self.user.passwordhash)
def test_normal_user_cannot_set_other_to_admin(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=user2.id, is_admin=True)
self.assertEqual(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.is_admin, False)
def test_cannot_have_matching_usernames(self):
user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password(USERPASS)
user2.save()
# if this get works, then the user exists:
usernow = User.get(loginname="user2")
self.assertEqual(user2.id, usernow.id)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='******', conf_newpass='******')
self.assertIn("Username already exists", resp.data)
# and just make sure we didn't delete them, or set their password...
usernew = User.get(loginname="user2")
self.assertEqual(usernow.passwordhash, usernew.passwordhash)
def test_cannot_change_other_users_password_even_with_their_currpass(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=user2.id),
data={"action":"update",
"newpass": "******",
"conf_newpass": "******",
"currpass": "******"},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
self.assertEquals(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.passwordhash, user2.passwordhash)