def password_edit_view(request):
""" Render the change password form page.
Seek the database for the user datas based on user_id used in the route. If
the user did not exist then add an error flash message and redirect to the
user list.
If the user exist then render an empty password form. If the form is
validated then change the user password in the database and add
success flash message. If the form is not valid, then display again the
form with validation errors.
:param request: a ``pyramid.request`` object
"""
_ = request.translate
user_id = request.matchdict['user_id']
user = AuthUser.get_by_id(user_id)
if not user:
request.session.flash(_(u"This user did not exist!"), 'error')
return HTTPFound(location=request.route_path('tools.user_list'))
form = Form(request, schema=UserPasswordForm, obj=user)
if 'form_submitted' in request.params and form.validate():
form.bind(user)
DBSession.add(user)
request.session.flash(_(u"Password updated."), 'success')
return HTTPFound(location=request.route_path('tools.user_list'))
return dict(renderer=FormRenderer(form))
def password_edit_view(request):
""" Render the change password form page.
Seek the database for the user datas based on user_id used in the route. If
the user did not exist then add an error flash message and redirect to the
user list.
If the user exist then render an empty password form. If the form is
validated then change the user password in the database and add
success flash message. If the form is not valid, then display again the
form with validation errors.
:param request: a ``pyramid.request`` object
"""
_ = request.translate
user_id = request.matchdict['user_id']
user = AuthUser.get_by_id(user_id)
if not user:
request.session.flash(_(u"This user did not exist!"), 'error')
return HTTPFound(location=request.route_path('tools.user_list'))
form = Form(request, schema=UserPasswordForm, obj=user)
if 'form_submitted' in request.params and form.validate():
form.bind(user)
DBSession.add(user)
request.session.flash(_(u"Password updated."), 'success')
return HTTPFound(location=request.route_path('tools.user_list'))
return dict(renderer=FormRenderer(form))
def get_auth_user(request):
""" Get the authenticated user id from the request and return an `AuthUser`
object.
:param request: a ``pyramid.request`` object
"""
user_id = unauthenticated_userid(request)
if user_id:
return AuthUser.get_by_id(user_id)
def test_user_show_view(self):
""" Test the response of the `user_show` view."""
self.dummy_user_fixture()
from anuket.views.user import user_show_view
request = AnuketDummyRequest()
request.matchdict = {'user_id': 1}
response = user_show_view(request)
from anuket.models.auth import AuthUser
user = AuthUser.get_by_id(1)
self.assertIsInstance(response['user'], AuthUser)
self.assertEqual(response['user'], user)
def test_user_show_view(self):
""" Test the response of the `user_show` view."""
self.dummy_user_fixture()
from anuket.views.user import user_show_view
request = AnuketDummyRequest()
request.matchdict = {'user_id': 1}
response = user_show_view(request)
from anuket.models.auth import AuthUser
user = AuthUser.get_by_id(1)
self.assertIsInstance(response['user'], AuthUser)
self.assertEqual(response['user'], user)
def test_direct_user_delete_is_forbiden_for_anonymous(self):
""" Test than direct delete is forbiden for non logged users."""
user = self.dummy_user_fixture()
response = self.testapp.get('/tools/user/1/delete', status=302)
redirect = response.follow()
self.assertEqual(redirect.status, '200 OK')
self.assertEqual(redirect.request.path, '/login')
self.assertTrue('You are not connected.' in redirect.body)
# check than the user is effectively still in the database
from anuket.models.auth import AuthUser
usercheck = AuthUser.get_by_id(1)
self.assertTrue(usercheck, user)
def test_direct_user_delete_is_forbiden_for_anonymous(self):
""" Test than direct delete is forbiden for non logged users."""
user = self.dummy_user_fixture()
response = self.testapp.get('/tools/user/1/delete', status=302)
redirect = response.follow()
self.assertEqual(redirect.status, '200 OK')
self.assertEqual(redirect.request.path, '/login')
self.assertTrue('You are not connected.'
in redirect.body)
# check than the user is effectively still in the database
from anuket.models.auth import AuthUser
usercheck = AuthUser.get_by_id(1)
self.assertTrue(usercheck, user)
def groupfinder(user_id, request):
""" Groupfinder callback for authentification policy.
Return the groupname (principal) of an authenticated user form the
database. Return None if the user do not exist.
:param user_id: the id of the authenticated user
:type user_id: integer
:param request: a ``pyramid.request`` object
:return: the user groupname or None
"""
auth_user = AuthUser.get_by_id(user_id)
if auth_user:
auth_group = auth_user.group.groupname
return [('group:%s' % auth_group)]
def user_show_view(request):
""" Render the show user datas page.
Seek the database for the user datas based on user_id used in the route. If
the user did not exist then add an error flash message and redirect to the
user list. If the user exist then return his datas.
:param request: a ``pyramid.request`` object
"""
_ = request.translate
user_id = request.matchdict['user_id']
user = AuthUser.get_by_id(user_id)
if not user:
request.session.flash(_(u"This user did not exist!"), 'error')
return HTTPFound(location=request.route_path('tools.user_list'))
return dict(user=user)
def user_show_view(request):
""" Render the show user datas page.
Seek the database for the user datas based on user_id used in the route. If
the user did not exist then add an error flash message and redirect to the
user list. If the user exist then return his datas.
:param request: a ``pyramid.request`` object
"""
_ = request.translate
user_id = request.matchdict['user_id']
user = AuthUser.get_by_id(user_id)
if not user:
request.session.flash(_(u"This user did not exist!"), 'error')
return HTTPFound(location=request.route_path('tools.user_list'))
return dict(user=user)
def user_delete_view(request):
""" Delete an user.
Seek the database for the user datas based on user_id used in the route. If
the user did not exist then add an error flash message and redirect to the
user list. If the user exist then delete the user in the database, add a
warning flash message and then redirect to the user list.
:param request: a ``pyramid.request`` object
"""
# The confirm delete must be managed by modal messages in the templates,
# and we forbid direct deletion from the address bar (no referer)
_ = request.translate
if not request.referer:
request.session.flash(_(u"Insufficient permissions!"),
'error')
return HTTPFound(location=request.route_path('home'))
user_id = request.matchdict['user_id']
user = AuthUser.get_by_id(user_id)
if not user:
request.session.flash(_(u"This user did not exist!"), 'error')
return HTTPFound(location=request.route_path('tools.user_list'))
#forbid the deletion if it's the only admin user
if user.group.groupname == u'admins':
adminscount = DBSession.query(AuthUser.user_id).join(AuthGroup).\
filter(AuthGroup.groupname == u'admins').\
count()
if adminscount == 1:
request.session.flash(_(u"Deletion of the only admin forbidden!"),
'error')
return HTTPFound(location=request.route_path('tools.user_list'))
DBSession.delete(user)
request.session.flash(_(u"User deleted."), 'warn')
return HTTPFound(location=request.route_path('tools.user_list'))
def user_delete_view(request):
""" Delete an user.
Seek the database for the user datas based on user_id used in the route. If
the user did not exist then add an error flash message and redirect to the
user list. If the user exist then delete the user in the database, add a
warning flash message and then redirect to the user list.
:param request: a ``pyramid.request`` object
"""
# The confirm delete must be managed by modal messages in the templates,
# and we forbid direct deletion from the address bar (no referer)
_ = request.translate
if not request.referer:
request.session.flash(_(u"Insufficient permissions!"), 'error')
return HTTPFound(location=request.route_path('home'))
user_id = request.matchdict['user_id']
user = AuthUser.get_by_id(user_id)
if not user:
request.session.flash(_(u"This user did not exist!"), 'error')
return HTTPFound(location=request.route_path('tools.user_list'))
#forbid the deletion if it's the only admin user
if user.group.groupname == u'admins':
adminscount = DBSession.query(AuthUser.user_id).join(AuthGroup).\
filter(AuthGroup.groupname == u'admins').\
count()
if adminscount == 1:
request.session.flash(_(u"Deletion of the only admin forbidden!"),
'error')
return HTTPFound(location=request.route_path('tools.user_list'))
DBSession.delete(user)
request.session.flash(_(u"User deleted."), 'warn')
return HTTPFound(location=request.route_path('tools.user_list'))
def test_AuthUser_get_by_id(self):
""" Test the `get_by_id` method of the ``AuthUser`` model class."""
user = self.dummy_user_fixture()
from anuket.models.auth import AuthUser
self.assertTrue(AuthUser.get_by_id(1))
self.assertEqual(user, AuthUser.get_by_id(1))
def test_AuthUser_get_by_id(self):
""" Test the `get_by_id` method of the ``AuthUser`` model class."""
user = self.dummy_user_fixture()
from anuket.models.auth import AuthUser
self.assertTrue(AuthUser.get_by_id(1))
self.assertEqual(user, AuthUser.get_by_id(1))
