def test_user_permission_view_as_staff_user(rf, admin_user):
shop = get_default_shop()
staff = create_random_user(is_staff=True)
shop.staff_members.set([staff])
user = create_random_user()
# Staff shouldn't be able to see superuser status
view_func = UserChangePermissionsView.as_view()
response = view_func(
apply_request_middleware(rf.get("/"), user=staff),
pk=user.id
)
assert response.status_code == 200
response.render()
assert "Superuser (Full rights) status" not in force_text(response.content)
# Superuser can see the superuser status
assert admin_user.is_superuser
view_func = UserChangePermissionsView.as_view()
response = view_func(
apply_request_middleware(rf.get("/"), user=admin_user),
pk=user.id
)
assert response.status_code == 200
response.render()
assert "Superuser (Full rights) status" in force_text(response.content)
def test_user_create(rf, admin_user):
shop = get_default_shop()
view_func = UserDetailView.as_view()
before_count = get_user_model().objects.count()
response = view_func(
apply_request_middleware(rf.post(
"/", {
"username": "******",
"email": "*****@*****.**",
"first_name": "test",
"last_name": "test",
"password": "******",
"send_confirmation": True
}),
user=admin_user))
assert response.status_code == 302
assert get_user_model().objects.count() == before_count + 1
last_user = get_user_model().objects.last()
assert last_user not in shop.staff_members.all()
assert not len(mail.outbox), "mail not sent since user is not staff"
response = view_func(
apply_request_middleware(rf.post(
"/", {
"username": "******",
"email": "*****@*****.**",
"first_name": "test",
"last_name": "test",
"password": "******",
"is_staff": True,
"send_confirmation": True
}),
user=admin_user))
assert response.status_code == 302
assert get_user_model().objects.count() == before_count + 2
last_user = get_user_model().objects.last()
assert last_user in shop.staff_members.all()
assert len(mail.outbox) == 1, "mail sent"
user = get_user_model().objects.create(username=printable_gibberish(20),
first_name=printable_gibberish(10),
last_name=printable_gibberish(10),
password="******",
is_staff=True,
is_superuser=False)
response = view_func(apply_request_middleware(rf.get("/", user=user)))
assert response.status_code == 200
response.render()
assert "Staff status" not in force_text(response.content)
assert "Superuser status" not in force_text(response.content)
# remove user staff permission
view_func = UserChangePermissionsView.as_view()
response = view_func(apply_request_middleware(rf.post(
"/", {"is_staff": False}),
user=admin_user),
pk=last_user.id)
assert response.status_code == 302
last_user = get_user_model().objects.last()
assert last_user not in shop.staff_members.all()
# add again
view_func = UserChangePermissionsView.as_view()
response = view_func(apply_request_middleware(rf.post(
"/", {"is_staff": True}),
user=admin_user),
pk=last_user.id)
assert response.status_code == 302
last_user = get_user_model().objects.last()
assert last_user in shop.staff_members.all()
def test_user_create(rf, admin_user):
shop = get_default_shop()
view_func = UserDetailView.as_view()
before_count = get_user_model().objects.count()
response = view_func(apply_request_middleware(rf.post("/", {
"username": "******",
"email": "*****@*****.**",
"first_name": "test",
"last_name": "test",
"password": "******",
"send_confirmation": True
}), user=admin_user))
assert response.status_code == 302
assert get_user_model().objects.count() == before_count + 1
last_user = get_user_model().objects.last()
assert last_user not in shop.staff_members.all()
assert not len(mail.outbox), "mail not sent since user is not staff"
response = view_func(apply_request_middleware(rf.post("/", {
"username": "******",
"email": "*****@*****.**",
"first_name": "test",
"last_name": "test",
"password": "******",
"is_staff": True,
"send_confirmation": True
}), user=admin_user))
assert response.status_code == 302
assert get_user_model().objects.count() == before_count + 2
last_user = get_user_model().objects.last()
assert last_user in shop.staff_members.all()
assert len(mail.outbox) == 1, "mail sent"
user = get_user_model().objects.create(
username=printable_gibberish(20),
first_name=printable_gibberish(10),
last_name=printable_gibberish(10),
password="******",
is_staff=True,
is_superuser=False
)
response = view_func(apply_request_middleware(rf.get("/"), user=user, skip_session=True))
assert response.status_code == 200
response.render()
assert "Staff status" not in force_text(response.content)
assert "Superuser status" not in force_text(response.content)
# remove user staff permission
view_func = UserChangePermissionsView.as_view()
response = view_func(apply_request_middleware(rf.post("/", {
"is_staff": False
}), user=admin_user), pk=last_user.id)
assert response.status_code == 302
last_user = get_user_model().objects.last()
assert last_user not in shop.staff_members.all()
# add again
view_func = UserChangePermissionsView.as_view()
response = view_func(apply_request_middleware(rf.post("/", {
"is_staff": True
}), user=admin_user), pk=last_user.id)
assert response.status_code == 302
last_user = get_user_model().objects.last()
assert last_user in shop.staff_members.all()
# create a superuser
view_func = UserDetailView.as_view()
response = view_func(apply_request_middleware(rf.post("/", {
"username": "******",
"email": "*****@*****.**",
"first_name": "test",
"last_name": "test",
"password": "******",
"is_staff": True,
"is_superuser": True,
"send_confirmation": False
}), user=admin_user))
assert response.status_code == 302
assert get_user_model().objects.count() == before_count + 4
last_user = get_user_model().objects.last()
# superuser shouldn't be added to staff members
assert last_user not in shop.staff_members.all()
# change the superuser
response = view_func(apply_request_middleware(rf.post("/", {
"username": "******",
"email": "*****@*****.**",
"first_name": "test2",
"last_name": "test",
"password": "******",
"is_staff": True,
"is_superuser": True,
}), user=admin_user), pk=last_user.pk)
assert response.status_code == 302
assert get_user_model().objects.count() == before_count + 4
last_user = get_user_model().objects.last()
# superuser shouldn't be added to staff members
assert last_user not in shop.staff_members.all()