class TestUserJoin(APITestCase): """Test User.join_group""" def _fixture_setup(self): super()._fixture_setup() # needs auth.change_user self.api_user.is_superuser = True self.api_user.save() self.user = UserFactory(username='******', email='*****@*****.**') self.group = GroupFactory(name='test_group') def test_join_normally(self): self.rpc_client.User.join_group(self.user.username, self.group.name) self.user.refresh_from_db() user_added_to_group = self.user.groups.filter( name=self.group.name).exists() self.assertTrue(user_added_to_group, 'User should be added to group.') def test_join_nonexistent_user(self): with self.assertRaisesRegex(XmlRPCFault, "User matching query does not exist"): self.rpc_client.User.join_group('nonexistent user', self.group.name) def test_join_nonexistent_group(self): with self.assertRaisesRegex(XmlRPCFault, "Group matching query does not exist"): self.rpc_client.User.join_group(self.user.username, 'nonexistent group name')
class TestUserUpdate(APITestCase): """Test User.update""" def _fixture_setup(self): super()._fixture_setup() self.another_user = UserFactory() self.another_user.set_password('another-password') self.another_user.save() self.user_new_attrs = { 'first_name': 'new first name', 'last_name': 'new last name', 'email': 'new email', } def setUp(self): super().setUp() # clear permissions b/c we set them inside individual tests self.api_user.user_permissions.all().delete() def tearDown(self): super().tearDown() self.api_user.set_password('api-testing') self.api_user.save() def test_update_myself(self): data = self.rpc_client.User.update(self.api_user.pk, self.user_new_attrs) self.assertEqual(data['first_name'], self.user_new_attrs['first_name']) self.assertEqual(data['last_name'], self.user_new_attrs['last_name']) self.assertEqual(data['email'], self.user_new_attrs['email']) def test_update_myself_without_passing_id(self): data = self.rpc_client.User.update(None, self.user_new_attrs) self.assertEqual(data['first_name'], self.user_new_attrs['first_name']) self.assertEqual(data['last_name'], self.user_new_attrs['last_name']) self.assertEqual(data['email'], self.user_new_attrs['email']) def test_update_other_missing_permission(self): new_values = {'some_attr': 'xxx'} with self.assertRaisesRegex(XmlRPCFault, "Permission denied"): self.rpc_client.User.update(self.another_user.pk, new_values) def test_update_other_with_proper_permission(self): user_should_have_perm(self.api_user, 'auth.change_user') data = self.rpc_client.User.update(self.another_user.pk, self.user_new_attrs) self.another_user.refresh_from_db() self.assertEqual(data['first_name'], self.another_user.first_name) self.assertEqual(data['last_name'], self.another_user.last_name) self.assertEqual(data['email'], self.another_user.email) def test_update_own_password(self): user_new_attrs = self.user_new_attrs.copy() new_password = '******' # nosec:B105:hardcoded_password_string user_new_attrs[ 'password'] = new_password # nosec:B105:hardcoded_password_string with self.assertRaisesRegex(XmlRPCFault, 'Old password is required'): self.rpc_client.User.update(self.api_user.pk, user_new_attrs) user_new_attrs['old_password'] = '******' # nosec:B105 with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"): self.rpc_client.User.update(self.api_user.pk, user_new_attrs) user_new_attrs[ 'old_password'] = '******' # nosec:B105:hardcoded_password_string data = self.rpc_client.User.update(self.api_user.pk, user_new_attrs) self.assertTrue('password' not in data) self.assertEqual(data['first_name'], user_new_attrs['first_name']) self.assertEqual(data['last_name'], user_new_attrs['last_name']) self.assertEqual(data['email'], user_new_attrs['email']) self.api_user.refresh_from_db() self.assertTrue(self.api_user.check_password(new_password)) def test_update_another_user_password(self): user_should_have_perm(self.api_user, 'auth.change_user') user_new_attrs = self.user_new_attrs.copy() user_new_attrs[ 'password'] = '******' # nosec:B105:hardcoded_password_string with self.assertRaisesRegex( XmlRPCFault, 'Password updates for other users are not allowed via RPC!'): self.rpc_client.User.update(self.another_user.pk, user_new_attrs)
class TestUserUpdate(APITestCase): """Test User.update""" def _fixture_setup(self): super()._fixture_setup() self.another_user = UserFactory() self.another_user.set_password("another-password") self.another_user.save() self.user_new_attrs = { "first_name": "new first name", "last_name": "new last name", "email": "new email", } def setUp(self): super().setUp() # clear permissions b/c we set them inside individual tests self.api_user.user_permissions.all().delete() def tearDown(self): super().tearDown() self.api_user.set_password("api-testing") self.api_user.save() def test_update_myself(self): data = self.rpc_client.User.update(self.api_user.pk, self.user_new_attrs) self.assertEqual(data["first_name"], self.user_new_attrs["first_name"]) self.assertEqual(data["last_name"], self.user_new_attrs["last_name"]) self.assertEqual(data["email"], self.user_new_attrs["email"]) def test_update_myself_without_passing_id(self): data = self.rpc_client.User.update(None, self.user_new_attrs) self.assertEqual(data["first_name"], self.user_new_attrs["first_name"]) self.assertEqual(data["last_name"], self.user_new_attrs["last_name"]) self.assertEqual(data["email"], self.user_new_attrs["email"]) def test_update_other_missing_permission(self): new_values = {"some_attr": "xxx"} with self.assertRaisesRegex(XmlRPCFault, "Permission denied"): self.rpc_client.User.update(self.another_user.pk, new_values) def test_update_other_with_proper_permission(self): user_should_have_perm(self.api_user, "auth.change_user") data = self.rpc_client.User.update(self.another_user.pk, self.user_new_attrs) self.another_user.refresh_from_db() self.assertEqual(data["first_name"], self.another_user.first_name) self.assertEqual(data["last_name"], self.another_user.last_name) self.assertEqual(data["email"], self.another_user.email) def test_update_own_password(self): user_new_attrs = self.user_new_attrs.copy() new_password = "******" # nosec:B105:hardcoded_password_string user_new_attrs["password" # nosec:B105:hardcoded_password_string ] = new_password with self.assertRaisesRegex(XmlRPCFault, "Old password is required"): self.rpc_client.User.update(self.api_user.pk, user_new_attrs) user_new_attrs["old_password"] = "******" # nosec:B105 with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"): self.rpc_client.User.update(self.api_user.pk, user_new_attrs) user_new_attrs["old_password" # nosec:B105:hardcoded_password_string ] = "api-testing" data = self.rpc_client.User.update(self.api_user.pk, user_new_attrs) self.assertTrue("password" not in data) self.assertEqual(data["first_name"], user_new_attrs["first_name"]) self.assertEqual(data["last_name"], user_new_attrs["last_name"]) self.assertEqual(data["email"], user_new_attrs["email"]) self.api_user.refresh_from_db() self.assertTrue(self.api_user.check_password(new_password)) def test_update_another_user_password(self): user_should_have_perm(self.api_user, "auth.change_user") user_new_attrs = self.user_new_attrs.copy() user_new_attrs["password" # nosec:B105:hardcoded_password_string ] = "new password" with self.assertRaisesRegex( XmlRPCFault, "Password updates for other users are not allowed via RPC!"): self.rpc_client.User.update(self.another_user.pk, user_new_attrs)