def test_cannot_change_other_users_password_even_with_their_currpass(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=user2.id),
data={
"action": "update",
"newpass": "******",
"conf_newpass": "******",
"currpass": "******"
},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
self.assertEquals(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.passwordhash, user2.passwordhash)
def test_normal_user_cannot_set_other_to_admin(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=user2.id, is_admin=True)
self.assertEqual(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.is_admin, False)
def test_normal_user_cannot_set_other_to_admin(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=user2.id, is_admin=True)
self.assertEqual(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.is_admin, False)
class BasicUsersTestCase(StreetSignTestCase):
def setUp(self):
super(BasicUsersTestCase, self).setUp()
self.user = User(loginname=USERNAME,
emailaddress='*****@*****.**',
is_admin=False)
self.user.set_password(USERPASS)
self.user.save()
self.admin = User(loginname=ADMINNAME,
emailaddress='*****@*****.**',
is_admin=True)
self.admin.set_password(ADMINPASS)
self.admin.save()
class BasicUsersTestCase(StreetSignTestCase):
def setUp(self):
super(BasicUsersTestCase, self).setUp()
self.user = User(loginname=USERNAME,
emailaddress='*****@*****.**',
is_admin=False)
self.user.set_password(USERPASS)
self.user.save()
self.admin = User(loginname=ADMINNAME,
emailaddress='*****@*****.**',
is_admin=True)
self.admin.set_password(ADMINPASS)
self.admin.save()
def test_cannot_have_matching_usernames(self):
user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password(USERPASS)
user2.save()
# if this get works, then the user exists:
usernow = User.get(loginname="user2")
self.assertEqual(user2.id, usernow.id)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='******', conf_newpass='******')
self.assertIn("Username already exists", resp.data)
# and just make sure we didn't delete them, or set their password...
usernew = User.get(loginname="user2")
self.assertEqual(usernow.passwordhash, usernew.passwordhash)
def test_cannot_have_matching_usernames(self):
user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password(USERPASS)
user2.save()
# if this get works, then the user exists:
usernow = User.get(loginname="user2")
self.assertEqual(user2.id, usernow.id)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='******',
conf_newpass='******')
self.assertIn("Username already exists", resp.data)
# and just make sure we didn't delete them, or set their password...
usernew = User.get(loginname="user2")
self.assertEqual(usernow.passwordhash, usernew.passwordhash)
def test_cannot_change_other_users_password_even_with_their_currpass(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=user2.id),
data={"action":"update",
"newpass": "******",
"conf_newpass": "******",
"currpass": "******"},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
self.assertEquals(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.passwordhash, user2.passwordhash)
class DeletingUsers(BasicUsersTestCase):
''' Only admin can delete users, and not themselves. '''
def setUp(self):
super(DeletingUsers, self).setUp()
self.user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
self.user2.set_password(USERPASS)
self.user2.save()
def post_delete_request(self, userid=False, **kwargs):
data = {}
data.update(kwargs)
if userid == False:
userid = self.user2.id
with self.ctx():
return self.client.delete(url_for('user_edit', userid=userid),
data=data,
follow_redirects=True)
def test_logged_out_cannot_delete_user(self):
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 403)
User.get(id=self.user2.id)
def test_normal_user_cannot_delete_user(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 403)
User.get(id=self.user2.id)
def test_normal_user_cannot_delete_self(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=self.user.id)
self.assertEqual(resp.status_code, 403)
User.get(id=self.user.id)
def test_normal_user_cannot_delete_admin(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=self.admin.id)
self.assertEqual(resp.status_code, 403)
User.get(id=self.admin.id)
def test_admin_can_delete_user(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 200)
with self.assertRaises(User.DoesNotExist):
User.get(id=self.user2.id)
def test_admin_cannot_delete_self(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request(userid=self.admin.id)
self.assertIn("You cannot delete yourself", resp.data)
User.get(id=self.admin.id)
def test_admin_cannot_delete_nonexistant_user(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request(userid=200)
self.assertEqual(resp.status_code, 404)
def test_normal_user_cannot_delete_nonexistant_user(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=200)
self.assertEqual(resp.status_code, 404)
def when_user_deleted_posts_also_deleted(self):
self.login(ADMINNAME, ADMINPASS)
# TODO
pass
class DeletingUsers(BasicUsersTestCase):
''' Only admin can delete users, and not themselves. '''
def setUp(self):
super(DeletingUsers, self).setUp()
self.user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
self.user2.set_password(USERPASS)
self.user2.save()
def post_delete_request(self, userid=False, **kwargs):
data = {}
data.update(kwargs)
if userid == False:
userid = self.user2.id
with self.ctx():
return self.client.delete(url_for('user_edit', userid=userid),
data=data,
follow_redirects=True)
def test_logged_out_cannot_delete_user(self):
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 403)
User.get(id=self.user2.id)
def test_normal_user_cannot_delete_user(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 403)
User.get(id=self.user2.id)
def test_normal_user_cannot_delete_self(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=self.user.id)
self.assertEqual(resp.status_code, 403)
User.get(id=self.user.id)
def test_normal_user_cannot_delete_admin(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=self.admin.id)
self.assertEqual(resp.status_code, 403)
User.get(id=self.admin.id)
def test_admin_can_delete_user(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 200)
with self.assertRaises(User.DoesNotExist):
User.get(id=self.user2.id)
def test_admin_cannot_delete_self(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request(userid=self.admin.id)
self.assertIn("You cannot delete yourself", resp.data)
User.get(id=self.admin.id)
def test_admin_cannot_delete_nonexistant_user(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request(userid=200)
self.assertEqual(resp.status_code, 404)
def test_normal_user_cannot_delete_nonexistant_user(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=200)
self.assertEqual(resp.status_code, 404)
def when_user_deleted_posts_also_deleted(self):
self.login(ADMINNAME, ADMINPASS)
# TODO
pass
