def test_admin_can_delete_user(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 200)
with self.assertRaises(User.DoesNotExist):
User.get(id=self.user2.id)
def test_admin_can_delete_user(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 200)
with self.assertRaises(User.DoesNotExist):
User.get(id=self.user2.id)
def test_admin_needs_password_to_create_user(self):
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request()
self.assertIn("You need to enter your current password", resp.data)
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
def test_admin_can_create_user(self):
# should not yet exist:
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS)
self.assertEqual(resp.status_code, 200)
User.get(loginname="user2")
def test_admin_needs_password_to_create_user(self):
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request()
self.assertIn("You need to enter your current password", resp.data)
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
def test_admin_can_create_user(self):
# should not yet exist:
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS)
self.assertEqual(resp.status_code, 200)
User.get(loginname="user2")
def test_new_user_passwords_must_match(self):
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='******',
conf_newpass='******')
self.assertIn("Passwords don't match", resp.data)
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
def test_new_user_passwords_must_match(self):
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='******',
conf_newpass='******')
self.assertIn("Passwords don't match", resp.data)
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
def test_cannot_have_empty_password(self):
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='',
conf_newpass='')
self.assertIn("Cannot Save", resp.data)
self.assertIn("passwordhash", resp.data)
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
def test_admin_can_unset_admin(self):
self.assertFalse(self.user.is_admin)
self.user.is_admin = True
self.user.save()
usernow = User.get(id=self.user.id)
self.assertTrue(usernow.is_admin)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_update_request(userid=self.user.id, is_admin=False)
usernow = User.get(id=self.user.id)
self.assertFalse(usernow.is_admin)
def test_admin_can_unset_admin(self):
self.assertFalse(self.user.is_admin)
self.user.is_admin = True
self.user.save()
usernow = User.get(id=self.user.id)
self.assertTrue(usernow.is_admin)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_update_request(userid=self.user.id, is_admin=False)
usernow = User.get(id=self.user.id)
self.assertFalse(usernow.is_admin)
def test_cannot_have_empty_password(self):
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='',
conf_newpass='')
self.assertIn("Cannot Save", resp.data)
self.assertIn("passwordhash", resp.data)
with self.assertRaises(User.DoesNotExist):
User.get(loginname="user2")
def test_admin_can_make_admin_with_on(self):
self.assertFalse(self.user.is_admin)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_update_request(userid=self.user.id, is_admin="on")
usernow = User.get(id=self.user.id)
self.assertTrue(usernow.is_admin)
def test_cannot_change_other_users_password_even_with_their_currpass(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=user2.id),
data={
"action": "update",
"newpass": "******",
"conf_newpass": "******",
"currpass": "******"
},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
self.assertEquals(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.passwordhash, user2.passwordhash)
def test_admin_can_make_admin_with_on(self):
self.assertFalse(self.user.is_admin)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_update_request(userid=self.user.id, is_admin="on")
usernow = User.get(id=self.user.id)
self.assertTrue(usernow.is_admin)
def test_normal_user_cannot_unset_admin(self):
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=self.admin.id, is_admin=False)
self.assertEqual(resp.status_code, 403)
adminnow = User.get(id=self.admin.id)
self.assertEqual(adminnow.is_admin, True)
def test_emailaddress_must_be_valid(self):
self.login(USERNAME, USERPASS)
resp = self.post_update_request(emailaddress='BANANA!!!!')
self.assertIn('not a valid emailaddress', resp.data)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.emailaddress, '*****@*****.**')
def test_normal_user_cannot_unset_admin(self):
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=self.admin.id, is_admin=False)
self.assertEqual(resp.status_code, 403)
adminnow = User.get(id=self.admin.id)
self.assertEqual(adminnow.is_admin, True)
def test_emailaddress_must_be_valid(self):
self.login(USERNAME, USERPASS)
resp = self.post_update_request(emailaddress='BANANA!!!!')
self.assertIn('not a valid emailaddress', resp.data)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.emailaddress, '*****@*****.**')
def test_admin_can_set_groups(self):
g1 = self.create_group('g1')
self.assertEqual(self.user.groups(), [])
self.login(ADMINNAME, ADMINPASS)
self.post_update_request(userid=self.user.id, groups=[g1.id])
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.groups(), [g1])
def test_cannot_set_own_groups(self):
g1 = self.create_group('g1')
self.assertEqual(self.user.groups(), [])
self.login(USERNAME, USERPASS)
self.post_update_request(userid=self.user.id, groups=[g1.id])
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.groups(), [])
def test_cannot_set_own_groups(self):
g1 = self.create_group('g1')
self.assertEqual(self.user.groups(), [])
self.login(USERNAME, USERPASS)
self.post_update_request(userid=self.user.id, groups=[g1.id])
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.groups(), [])
def test_admin_can_set_groups(self):
g1 = self.create_group('g1')
self.assertEqual(self.user.groups(), [])
self.login(ADMINNAME, ADMINPASS)
self.post_update_request(userid=self.user.id, groups=[g1.id])
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.groups(), [g1])
def test_cannot_have_matching_usernames(self):
user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password(USERPASS)
user2.save()
# if this get works, then the user exists:
usernow = User.get(loginname="user2")
self.assertEqual(user2.id, usernow.id)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='******', conf_newpass='******')
self.assertIn("Username already exists", resp.data)
# and just make sure we didn't delete them, or set their password...
usernew = User.get(loginname="user2")
self.assertEqual(usernow.passwordhash, usernew.passwordhash)
def test_cannot_have_matching_usernames(self):
user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password(USERPASS)
user2.save()
# if this get works, then the user exists:
usernow = User.get(loginname="user2")
self.assertEqual(user2.id, usernow.id)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='******',
conf_newpass='******')
self.assertIn("Username already exists", resp.data)
# and just make sure we didn't delete them, or set their password...
usernew = User.get(loginname="user2")
self.assertEqual(usernow.passwordhash, usernew.passwordhash)
def test_logged_out_cannot_set_password(self):
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.user.id),
data={"action":"update",
"newpass": "******",
"conf_newpass": "******"},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
# and make sure the password didn't get changed!
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.passwordhash, self.user.passwordhash)
def test_normal_user_cannot_set_other_to_admin(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=user2.id, is_admin=True)
self.assertEqual(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.is_admin, False)
def test_normal_user_cannot_set_other_to_admin(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=user2.id, is_admin=True)
self.assertEqual(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.is_admin, False)
def test_cannot_change_password_without_current_password(self):
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.user.id),
data={"action":"update",
"newpass": "******",
"conf_newpass": "******"},
follow_redirects=True)
self.assertNotIn("Password changed", resp.data)
self.assertIn("You need to enter your current password", resp.data)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.passwordhash, self.user.passwordhash)
def test_admin_can_change_own_password(self):
self.login(ADMINNAME, ADMINPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.admin.id),
data={"action":"update",
"newpass": "******",
"currpass": ADMINPASS,
"conf_newpass": "******"},
follow_redirects=True)
self.assertIn("Password changed", resp.data)
usernow = User.get(id=self.admin.id)
self.assertNotEqual(usernow.passwordhash, self.admin.passwordhash)
def test_logged_out_cannot_set_password(self):
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.user.id),
data={
"action": "update",
"newpass": "******",
"conf_newpass": "******"
},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
# and make sure the password didn't get changed!
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.passwordhash, self.user.passwordhash)
def test_cannot_change_password_with_differing_inputs(self):
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.user.id),
data={"action":"update",
"newpass": "******",
"conf_newpass": "******",
"currpass": USERPASS},
follow_redirects=True)
self.assertNotIn("Password changed", resp.data)
self.assertIn("Passwords don't match", resp.data)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.passwordhash, self.user.passwordhash)
def test_admin_can_change_own_password(self):
self.login(ADMINNAME, ADMINPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.admin.id),
data={
"action": "update",
"newpass": "******",
"currpass": ADMINPASS,
"conf_newpass": "******"
},
follow_redirects=True)
self.assertIn("Password changed", resp.data)
usernow = User.get(id=self.admin.id)
self.assertNotEqual(usernow.passwordhash, self.admin.passwordhash)
def test_cannot_change_password_without_current_password(self):
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.user.id),
data={
"action": "update",
"newpass": "******",
"conf_newpass": "******"
},
follow_redirects=True)
self.assertNotIn("Password changed", resp.data)
self.assertIn("You need to enter your current password", resp.data)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.passwordhash, self.user.passwordhash)
def test_cannot_change_password_with_differing_inputs(self):
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=self.user.id),
data={
"action": "update",
"newpass": "******",
"conf_newpass": "******",
"currpass": USERPASS
},
follow_redirects=True)
self.assertNotIn("Password changed", resp.data)
self.assertIn("Passwords don't match", resp.data)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.passwordhash, self.user.passwordhash)
def test_cannot_change_other_users_password_even_with_their_currpass(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=user2.id),
data={"action":"update",
"newpass": "******",
"conf_newpass": "******",
"currpass": "******"},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
self.assertEquals(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.passwordhash, user2.passwordhash)
def test_logged_out_cannot_delete_user(self):
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 403)
User.get(id=self.user2.id)
def test_admin_cannot_delete_self(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request(userid=self.admin.id)
self.assertIn("You cannot delete yourself", resp.data)
User.get(id=self.admin.id)
def test_normal_user_cannot_delete_admin(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=self.admin.id)
self.assertEqual(resp.status_code, 403)
User.get(id=self.admin.id)
def test_admin_cannot_unadmin_self(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_update_request(userid=self.admin.id, is_admin=False)
adminnow = User.get(id=self.admin.id)
self.assertEqual(adminnow.is_admin, True)
def test_logged_in_cannot_set_empty_loginname(self):
self.login(USERNAME, USERPASS)
self.post_update_request(loginname='')
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.loginname, USERNAME)
def test_admin_cannot_delete_self(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request(userid=self.admin.id)
self.assertIn("You cannot delete yourself", resp.data)
User.get(id=self.admin.id)
def test_logged_in_can_change_own_displayname(self):
self.login(USERNAME, USERPASS)
self.post_update_request(displayname='Banana!')
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.displayname, 'Banana!')
def test_admin_cannot_unadmin_self(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_update_request(userid=self.admin.id, is_admin=False)
adminnow = User.get(id=self.admin.id)
self.assertEqual(adminnow.is_admin, True)
def test_normal_user_cannot_set_self_admin(self):
self.login(USERNAME, USERPASS)
resp = self.post_update_request(is_admin=True)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.is_admin, False)
def test_logged_out_cannot_delete_user(self):
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 403)
User.get(id=self.user2.id)
def test_normal_user_cannot_set_self_admin(self):
self.login(USERNAME, USERPASS)
resp = self.post_update_request(is_admin=True)
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.is_admin, False)
def test_logged_in_can_change_own_emailaddress(self):
self.login(USERNAME, USERPASS)
self.post_update_request(emailaddress='*****@*****.**')
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.emailaddress, '*****@*****.**')
def test_logged_in_can_change_own_displayname(self):
self.login(USERNAME, USERPASS)
self.post_update_request(displayname='Banana!')
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.displayname, 'Banana!')
def test_logged_in_cannot_set_empty_loginname(self):
self.login(USERNAME, USERPASS)
self.post_update_request(loginname='')
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.loginname, USERNAME)
def user_edit(userid=-1):
''' edit one user. Admins can edit any user, but other users
can only edit themselves. if userid is -1, create a new user. '''
try:
current_user = user_session.get_user()
except user_session.NotLoggedIn as e:
flash("Sorry, you're not logged in!")
return permission_denied("You're not logged in!")
userid = int(userid)
if userid != -1:
try:
user = User.get(id=userid)
except User.DoesNotExist:
return not_found(title="User doesn't exist",
message="Sorry, that user does not exist!")
else:
if not current_user.is_admin:
flash('Sorry! Only admins can create new users!')
return permission_denied("Admins only!")
try:
user = User.get(loginname=request.form['loginname'])
return permission_denied("Username already exists!")
except peewee.DoesNotExist:
pass
user = User() #pylint: disable=no-value-for-parameter
if request.method == 'POST':
if current_user != user and not current_user.is_admin:
return permission_denied("Sorry, you may not edit this user.")
update_user(user, request.form, current_user)
# save:
try:
user.save()
if userid == -1:
flash('New user created.')
return redirect(url_for('user_edit', userid=user.id))
else:
flash('Saved')
except peewee.IntegrityError as err:
flash('Cannot Save:' + str(err))
elif request.method == 'DELETE':
if not current_user.is_admin:
return 'Sorry, only admins can delete users', 403
if user.id == current_user.id:
return 'Sorry! You cannot delete yourself!', 403
user.delete_instance(recursive=True)
return 'User: %s deleted. (And all their posts)' % user.displayname
users_posts = Post.select().where(Post.author == user) \
.order_by(Post.write_date.desc()) \
.limit(10)
return render_template('user.html',
allgroups=Group.select(),
posts=users_posts, user=user)
def test_logged_in_can_change_own_emailaddress(self):
self.login(USERNAME, USERPASS)
self.post_update_request(emailaddress='*****@*****.**')
usernow = User.get(id=self.user.id)
self.assertEqual(usernow.emailaddress, '*****@*****.**')
def user_edit(userid=-1):
''' edit one user. Admins can edit any user, but other users
can only edit themselves. if userid is -1, create a new user. '''
try:
current_user = user_session.get_user()
except user_session.NotLoggedIn as e:
flash("Sorry, you're not logged in!")
return permission_denied("You're not logged in!")
userid = int(userid)
if userid != -1:
try:
user = User.get(id=userid)
except User.DoesNotExist:
return not_found(title="User doesn't exist",
message="Sorry, that user does not exist!")
else:
if not current_user.is_admin:
flash('Sorry! Only admins can create new users!')
return permission_denied("Admins only!")
try:
user = User.get(loginname=request.form.get('loginname', ''))
return permission_denied("Username already exists!")
except peewee.DoesNotExist:
pass
user = User() #pylint: disable=no-value-for-parameter
if request.method == 'POST':
if current_user != user and not current_user.is_admin:
return permission_denied("Sorry, you may not edit this user.")
update_user(user, request.form, current_user)
# save:
try:
user.save()
if userid == -1:
flash('New user created.')
return redirect(url_for('user_edit', userid=user.id))
else:
flash('Saved')
except peewee.IntegrityError as err:
flash('Cannot Save:' + str(err))
elif request.method == 'DELETE':
if not current_user.is_admin:
return 'Sorry, only admins can delete users', 403
if user.id == current_user.id:
return 'Sorry! You cannot delete yourself!', 403
user.delete_instance(recursive=True)
return 'User: %s deleted. (And all their posts)' % user.displayname
users_posts = Post.select().where(Post.author == user) \
.order_by(Post.write_date.desc()) \
.limit(10)
return render_template('user.html',
allgroups=Group.select(),
posts=users_posts,
user=user)
def test_normal_user_cannot_delete_admin(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=self.admin.id)
self.assertEqual(resp.status_code, 403)
User.get(id=self.admin.id)