def test_reset_password():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.delete_user('unittestadmin')
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
user_management.add_user('unittestadmin', conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username='******',
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# User must be an admin to update roles
response = CLIENT.post('/service/user/reset-password?mode=test',
json=dict(username=conf.TEST_USER),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 403
user_management.update_role('unittestadmin', 'admin')
# Username must be in the post body
response = CLIENT.post('/service/user/reset-password?mode=test',
json=dict(password='******'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# Success!
response = CLIENT.post('/service/user/reset-password?mode=test',
json=dict(username=conf.TEST_USER),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 201
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user('unittestadmin')
user = user_management.get_user('unittestadmin')
assert user == None
def update_role():
""" Updates the role for the user in the post body """
user_management = UserManagement()
jwt_user = get_jwt_identity()
admin_user = user_management.get_user(jwt_user)
authorized = admin_user['role'] == 'admin'
log_request(request, jwt_user, authorized)
if not authorized:
response = {'message': 'only admins can update roles'}
return jsonify(response), 403
else:
if 'username' not in request.json:
response = {'message': 'username required in post body'}
return jsonify(response), 400
if 'role' not in request.json:
response = {'message': 'role required in post body'}
return jsonify(response), 400
username = request.json['username']
role = request.json['role']
updated = user_management.update_role(username, role)
if updated:
response = {'message': 'role update for %s' % (username)}
return jsonify(response), 201
def test_member_upload():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
url = '/service/members/upload'
# The user must be authenticated
response = CLIENT.post(url)
assert response.status_code == 401
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# The user must have access to members
response = CLIENT.post(url,
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 403
user_management.update_role(conf.TEST_USER, 'admin')
# Uh oh! Bad file
response = CLIENT.post(url,
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_delete_user():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.delete_user('unittestadmin')
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
user_management.add_user('unittestadmin', conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username='******',
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# Only an admin can delete a user
response = CLIENT.delete('/service/user/unittestuser',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 403
user_management.update_role('unittestadmin', 'admin')
# Success!
response = CLIENT.delete('/service/user/unittestuser',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 204
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user = user_management.get_user(conf.TEST_USER)
assert user == None
user_management.delete_user('unittestadmin')
user = user_management.get_user('unittestadmin')
def test_list_users():
user_management = UserManagement()
user_management.delete_user('unittestadmin')
user_management.add_user('unittestadmin', conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username='******',
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# User must be an admin to update roles
response = CLIENT.get('/service/users/list',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 403
user_management.update_role('unittestadmin', 'admin')
# Success!
response = CLIENT.get(
'/service/users/list',
headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
users = response.json
for user in users:
assert 'id' in user
assert 'role' in user
assert 'modules' in user
assert 'password' not in user
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user('unittestadmin')
user = user_management.get_user('unittestadmin')
assert user == None
def test_update_email():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.delete_user('unittestadmin')
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
user_management.add_user('unittestadmin', conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username='******',
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# User must be an admin to update email
response = CLIENT.post('/service/user/update-email',
json=dict(username=conf.TEST_USER, role='admin'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 403
user_management.update_role('unittestadmin', 'admin')
# Username must be in the post body
response = CLIENT.post('/service/user/update-email',
json=dict(email='*****@*****.**'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# Email must be in the post body
response = CLIENT.post('/service/user/update-email',
json=dict(username=conf.TEST_USER),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# Success!
response = CLIENT.post('/service/user/update-email',
json=dict(username=conf.TEST_USER,
email='*****@*****.**'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 201
unittestuser = user_management.get_user(conf.TEST_USER)
assert unittestuser['email'] == '*****@*****.**'
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
user_management.delete_user('unittestadmin')
user = user_management.get_user('unittestadmin')
assert user == None
def test_add_user():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.delete_user('unittestadmin')
user_management.add_user('unittestadmin', conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username='******',
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# Only an admin can register a user
response = CLIENT.post('/service/user?mode=test',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 403
user_management.update_role('unittestadmin', 'admin')
# JSON body is required to register a user
response = CLIENT.post('/service/user?mode=test',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# Success!
response = CLIENT.post('/service/user?mode=test',
json=dict(username=conf.TEST_USER,
email='*****@*****.**',
role='standard',
modules=['events', 'map']),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 201
user = user_management.get_user(conf.TEST_USER)
assert 'events' in user['modules']
assert 'map' in user['modules']
assert user['role'] == 'standard'
assert user['email'] == '*****@*****.**'
# Can't register the same user twice
response = CLIENT.post('/service/user?mode=test',
json=dict(username=conf.TEST_USER,
email='*****@*****.**',
password=conf.TEST_PASSWORD),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
user_management.delete_user('unittestadmin')
user = user_management.get_user('unittestadmin')
assert user == None