def test_can_manage_employees_from_same_company(method, clean_app): me = factories.EmployeeFactory(company=factories.CompanyFactory()) colleague = factories.EmployeeFactory(company=me.company) flask.g.user = me assert has_privilege(method=method, resource="employee", employee_id=colleague.id)
def test_manager_can_access_employee(): my_company = factories.CompanyFactory() me = factories.EmployeeFactory(company=my_company) # set role to manager flask.g.user = me other = factories.EmployeeFactory(company=my_company) # set role to master assert is_allowed(method=Method.READ, resource="employee", employee_id=other.id)
def test_can_access_same_company_employees(app, db_session): company = factories.CompanyFactory() manager_role = factories.RoleFactory() me = factories.EmployeeFactory(company=company, role=manager_role) colleague = factories.EmployeeFactory(company=company, role=manager_role) flask.g.user = me assert has_privilege( method=Method.READ, resource="employee", employee_id=colleague.id)
def test_owner_can_access_director(): my_company = factories.CompanyFactory() me = factories.EmployeeFactory(company=my_company) # set role to owner flask.g.user = me # set role to director other = factories.EmployeeFactory(company=my_company) assert is_allowed(method=Method.READ, resource="employee", employee_id=other.id)
def test_administrator_can_access_director_from_other_company(): my_company = factories.CompanyFactory() # set role to administrator me = factories.EmployeeFactory(company=my_company) flask.g.user = me other_company = factories.CompanyFactory() # set role to director other = factories.EmployeeFactory(company=other_company) assert is_allowed(method=Method.READ, resource="employee", employee_id=other.id)
def test_manager_cant_access_director(method, app, db_session): manager = factories.EmployeeFactory(role=factories.RoleFactory( role_type=RoleType.Manager)) director = factories.EmployeeFactory(role=factories.RoleFactory( role_type=RoleType.Director)) master = factories.EmployeeFactory(role=factories.RoleFactory( role_type=RoleType.Master)) flask.g.user = manager assert not has_privilege( method=method, resource="employee", employee_id=director.id) assert has_privilege(method=method, resource="employee", employee_id=master.id)
def test_delete(client): company = factories.CompanyFactory() intern = factories.EmployeeFactory( company=company, role_id=Role(role_type=RoleType.Intern.name).id) boss = factories.EmployeeFactory( company=company, role_id=Role(role_type=RoleType.Manager.name).id) with client.session_transaction() as session: session["user_id"] = boss.id intern_id = intern.id response = client.post(url_for("employee.delete", id=intern_id)) assert Employee.query.count() == 1 assert Employee.query.get(intern_id) is None assert response.status_code == HTTPStatus.OK
def test_cannot_access_other_company_employees(method, app, db_session): """ Even though the authenticated user is a director, they cannot access a manager's profile because the manager works for another company. """ director = factories.EmployeeFactory( company=factories.CompanyFactory(), role=factories.RoleFactory(name="Director")) manager = factories.EmployeeFactory( company=factories.CompanyFactory(), role=factories.RoleFactory(name="Manager")) flask.g.user = director assert not has_privilege( method=Method.READ, resource="employee", employee_id=manager.id)
def login(self, username="******", password="******"): employee = factories.EmployeeFactory( company=factories.CompanyFactory(), ) with self._client.session_transaction() as session: session["user_id"] = employee.id session["logged_in"] = True return True
def test_cannot_access_list(client, db_session): """ Show 403 - Forbidden when user cannot access employee list """ company = factories.CompanyFactory() manager_role = factories.RoleFactory() employee = factories.EmployeeFactory(company=company, role=manager_role) response = client.get(url_for("employee.list")) assert response.status_code == HTTPStatus.FORBIDDEN
def test_insert_employee(db_session): """Integration test for adding and selecting Employee""" company = factories.CompanyFactory() manager_role = factories.RoleFactory() employee = factories.EmployeeFactory(company=company, role=manager_role) row = db_session.query(Employee).get(employee.id) assert row.username == employee.username
def test_list(client, db_session): """ List all employees """ company = factories.CompanyFactory() manager_role = factories.RoleFactory() employee = factories.EmployeeFactory(company=company, role=manager_role) response = client.get(url_for("employee.list")) assert response.status_code == HTTPStatus.OK assert str.encode(employee.username) in response.data
def test_can_access_to_emloyee_resource(method, app): """ Check that user can access only to own employee account """ employee = factories.EmployeeFactory() flask.g.user = employee assert has_privilege(method=method, resource="employee", employee_id=employee.id) assert not has_privilege( method=method, resource="employee", employee_id=-1)
def test_edit(client): employee = factories.EmployeeFactory(comment="No comments") persisted = Employee.query.get(employee.id) assert persisted.comment == "No comments" client.post(url_for('employee.edit', id=employee.id), data={"comment": "One comment"}) persisted = Employee.query.get(employee.id) assert persisted.comment == "One comment" """fails"""
def test_can_access_subalterns(method, app, db_session): """ A director of a company should be able to access the profiles of employees with a lower role. """ company = factories.CompanyFactory() director = factories.EmployeeFactory( company=company, role=factories.RoleFactory(name="Director")) master = factories.EmployeeFactory( company=company, role=factories.RoleFactory(name="Master")) manager = factories.EmployeeFactory( company=company, role=factories.RoleFactory(name="Manager")) intern = factories.EmployeeFactory( company=company, role=factories.RoleFactory(name="Intern")) flask.g.user = director assert has_privilege(resource="employee", employee_id=manager.id) assert has_privilege(resource="employee", employee_id=master.id) assert has_privilege(resource="employee", employee_id=intern.id)
def test_forgot_password_post(client): employee = factories.EmployeeFactory(email="*****@*****.**") response = client.post(flask.url_for("auth.forgot_password"), data={"email": employee.email}) decoded = response.data.decode("utf-8") assert "<h1>Forgot password</h1>" in decoded assert (f"We've sent an e-mail to mrg***@yahoo.com with your new password." in decoded) assert "Please use it to log in and change it." in decoded assert response.status_code == HTTPStatus.OK
def test_forgot_password_routine(client): employee = factories.EmployeeFactory(username="******", password=auth_hash("pass"), email="*****@*****.**") error = login(employee.username, "pass") flask.session.clear() client.post(flask.url_for("auth.forgot_password"), data={"email": employee.email}) error = login(employee.username, "pass") assert error assert not flask.session.get("user_id")
def test_list(client): """ Test list is okay """ company = factories.CompanyFactory() employee = factories.EmployeeFactory(company=company) factories.ItemFactory(employee_id=employee.id, company=company) response = client.get("/items/") assert "<article class=\"item\"><header><div><h1>1</h1></div>" in response.data assert "<article class=\"item\"><header><div><h1>2</h1></div>" in response.data assert "<article class=\"item\"><header><div><h1>3</h1></div>" in response.data assert "<article class=\"item\"><header><div><h1>4</h1></div>" in response.data assert response.status_code == HTTPStatus.OK
def test_company_endpoints(client): employee = factories.EmployeeFactory( company=factories.CompanyFactory() ) with client.session_transaction() as session: session["user_id"] = employee.id url = flask.url_for('companies.api', company_id=employee.company_id) assert client.get(url).status_code == 200 assert client.put(url).status_code == 200 assert client.delete(url).status_code == 204
def test_activate_authenticated(client): """ Tests if authenticated POST to activate returns correct screen """ employee = factories.EmployeeFactory(company=factories.CompanyFactory(), account_status=False) with client.session_transaction() as session: session["logged_in"] = True session["user_id"] = employee.id response = client.post("/auth/activate") assert b"<h1>Successfully activated your account.</h1>" in response.data assert Employee.query.get(employee.id).account_status assert response.status_code == HTTPStatus.OK
def test_list(client): """ Test list is okay """ employee = factories.EmployeeFactory() factories.ItemFactory(name="1") factories.ItemFactory(name="2") factories.ItemFactory(name="3") flask.g.user = employee with client.session_transaction() as session: session["user_id"] = employee.id response = client.get("/items/") assert b"<article class=\"item\"><header><div><h1>1</h1></div>" in response.data assert b"<article class=\"item\"><header><div><h1>2</h1></div>" in response.data assert b"<article class=\"item\"><header><div><h1>3</h1></div>" in response.data assert response.status_code == HTTPStatus.OK
def test_activate_authenticated(client): """ Tests if authenticated POST to activate returns correct screen @todo #385:30min Inject user into session in the test below. Test is broken because we do not set user in session and then auth/views.py does not redirect to correct page. Fix this behavior and uncomment this test. """ employee = factories.EmployeeFactory(company=factories.CompanyFactory(), account_status=False) with client.session_transaction() as session: session["user_id"] = employee.id g.user = employee response = client.post("/auth/activate") assert b"<h1>Successfully activated your account.</h1>" in response.data assert employee.account_status assert response.status_code == HTTPStatus.OK
def test_list(client): """ Test list is okay """ role = factories.RoleFactory(name=RoleType.Intern.name) company = factories.CompanyFactory() employee = factories.EmployeeFactory(company=company, role_id=role.id) location = factories.LocationFactory(company=company) floor = factories.FloorFactory(location=location) with client.session_transaction() as session: session["user_id"] = employee.id g.user = employee factories.TableFactory(floor_id=floor.id, name="Table 01") factories.TableFactory(floor_id=floor.id, name="Table 02") factories.TableFactory(floor_id=floor.id, name="Table 03") response = client.get(url_for("/tables/")) assert response.status_code == HTTPStatus.OK assert b"<div><h1>Table 01</h1></div>" in response.data assert b"<div><h1>Table 02</h1></div>" in response.data assert b"<div><h1>Table 03</h1></div>" in response.data assert b"<div><h1>Table " in response.data.count == 3
def test_create(client): """ Test create is okay """ company = factories.CompanyFactory() employee = factories.EmployeeFactory(company=company) item_name = "Yellow Fedora" item_comment = "A yellow fedora that belonged to a hero from a movie" item = { "name": item_name, "comment": item_comment, "company_id": company.id, "employee_id": employee.id, } create_response = client.post("/items/create", data=item) database_item = Item.query.filter_by(name="Yellow Fedora").first() assert create_response.status_code == HTTPStatus.OK assert database_item is not None assert database_item.name == item_name assert database_item.comment == item_comment assert database_item.company_id == company.id assert database_item.employee_id == employee.id
def test_cannot_delete(client, db_session): """ Show 403 - Forbidden when user cannot access employee list """ employee = factories.EmployeeFactory() response = client.post(url_for('employee.delete', id=employee.id)) assert response.status_code == HTTPStatus.FORBIDDEN
def test_delete(client): employee = factories.EmployeeFactory() response = client.post(url_for('employee.delete', id=employee.id)) assert response.status_code == HTTPStatus.FOUND assert not Employee.query.count()
def test_can_not_manage_employees_from_different_company(method, clean_app): me = factories.EmployeeFactory(company=factories.CompanyFactory()) someone = factories.EmployeeFactory(company=factories.CompanyFactory()) flask.g.user = me assert not has_privilege( method=method, resource="employee", employee_id=someone.id)
def test_can_access_his_profile(clean_app): flask.g.user = factories.EmployeeFactory() assert has_privilege(method=Method.READ, resource="employee", employee_id=flask.g.user.id)