def test_uwp_patch_other(self):
"""User with proper perms can patch other user."""
password = "******"
new_password = "******"
user = factories.UserFactory(permission_codes=["users.change_user"])
other_user = factories.UserFactory()
self.auth(user)
data = {
"data":
self.schema.get_data(id=other_user.id,
current_password=password,
password=new_password)
}
response = self.patch(
f"/{self.resource_name}/{other_user.pk}/",
data=data,
asserted_status=status.HTTP_200_OK,
asserted_schema=self.schema.get_matcher(),
)
json = response.json()
# check parameters are correct
self.assertEqual(json["data"]["id"], str(other_user.pk))
self.assertEqual(json["data"]["attributes"]["email"], other_user.email)
# check password was successfully updated
other_user.refresh_from_db()
self.assertTrue(other_user.check_password(new_password))
def test_uwp_get_other(self):
"""User with perms can get other users."""
user = factories.UserFactory(permission_codes=["users.view_user"])
other_user = factories.UserFactory()
self.auth(user)
response = self.get(
f"/{self.resource_name}/{other_user.pk}/",
asserted_status=status.HTTP_200_OK,
asserted_schema=self.schema.get_matcher(),
)
json = response.json()
# check parameters are correct
self.assertEqual(json["data"]["id"], str(other_user.pk))
self.assertEqual(json["data"]["attributes"]["email"], other_user.email)
def test_user_delete_token(self):
"""User can delete token."""
email = "*****@*****.**"
password = "******"
factories.UserFactory(email=email, password=password)
data = {"data": self.schema.get_data(email=email, password=password)}
token = self.post(
f"/{self.resource_name}/",
data=data,
asserted_status=status.HTTP_201_CREATED,
asserted_schema=self.schema.get_matcher(),
).json()["data"]["attributes"]["token"]
self.client.credentials( # pylint: disable=no-member
HTTP_AUTHORIZATION=f"Token {token}")
self.get(
f"/{self.resource_name}/",
asserted_status=status.HTTP_200_OK,
asserted_schema=self.schema.get_matcher(many=True,
exclude=["token"]),
)
# delete the token (logout)
self.delete(f"/{self.resource_name}/",
asserted_status=status.HTTP_204_NO_CONTENT)
# check the token is no longer valid
self.get(f"/{self.resource_name}/",
asserted_status=status.HTTP_401_UNAUTHORIZED)
def test_user_delete_keep_token(self):
"""User can delete session and token persists."""
email = "*****@*****.**"
password = "******"
user = factories.UserFactory(email=email, password=password)
data = {"data": self.schema.get_data(email=email, password=password)}
token = self.post(
f"/{self.resource_name}/",
data=data,
asserted_status=status.HTTP_201_CREATED,
asserted_schema=self.schema.get_matcher(),
).json()["data"]["attributes"]["token"]
self.auth(user)
self.get(
f"/{self.resource_name}/",
asserted_status=status.HTTP_200_OK,
asserted_schema=self.schema.get_matcher(many=True,
exclude=["token"]),
)
# logout - i.e. flush the session
self.delete(f"/{self.resource_name}/",
asserted_status=status.HTTP_204_NO_CONTENT)
self.auth(None)
# check client is not currently authed
self.get(f"/{self.resource_name}/",
asserted_status=status.HTTP_401_UNAUTHORIZED)
# check the token is still valid
self.client.credentials( # pylint: disable=no-member
HTTP_AUTHORIZATION=f"Token {token}")
self.get(
f"/{self.resource_name}/",
asserted_status=status.HTTP_200_OK,
asserted_schema=self.schema.get_matcher(many=True,
exclude=["token"]),
)
def test_anon_delete(self):
"""Unauthenticated user cannot delete."""
user = factories.UserFactory()
response = self.delete(
f"/{self.resource_name}/{user.pk}/",
asserted_status=status.HTTP_405_METHOD_NOT_ALLOWED,
)
json = response.json()
# check has correct error
self.assertHasError(json, "data", 'Method "DELETE" not allowed.')
def test_user_delete_self(self):
"""User cannot delete self."""
user = factories.UserFactory(permission_codes=["users.delete_user"])
self.auth(user)
response = self.delete(
f"/{self.resource_name}/{user.pk}/",
asserted_status=status.HTTP_405_METHOD_NOT_ALLOWED,
)
json = response.json()
# check has correct error
self.assertHasError(json, "data", 'Method "DELETE" not allowed.')
def test_user_get_self(self):
"""User can get own user."""
user = factories.UserFactory()
self.auth(user)
response = self.get(
f"/{self.resource_name}/{user.pk}/",
asserted_status=status.HTTP_200_OK,
asserted_schema=self.schema.get_matcher(),
)
json = response.json()
# check parameters are correct
self.assertEqual(json["data"]["id"], str(user.pk))
self.assertEqual(json["data"]["attributes"]["email"], user.email)
def test_user_create(self):
"""User cannot create user."""
user = factories.UserFactory()
self.auth(user)
email = "*****@*****.**"
password = "******"
data = {"data": self.schema.get_data(email=email, password=password)}
response = self.post(
f"/{self.resource_name}/",
data=data,
asserted_status=status.HTTP_403_FORBIDDEN,
)
json = response.json()
# check email is correct
self.assertHasError(json, "data", "You cannot create users.")
def test_anon_create(self):
"""Unauthenticated user can create session."""
email = "*****@*****.**"
password = "******"
user = factories.UserFactory(email=email, password=password)
data = {"data": self.schema.get_data(email=email, password=password)}
response = self.post(
f"/{self.resource_name}/",
data=data,
asserted_status=status.HTTP_201_CREATED,
asserted_schema=self.schema.get_matcher(),
)
json = response.json()
# check parameters are correct
self.assertIn("token", json["data"]["attributes"])
self.assertEqual(json["data"]["relationships"]["user"]["data"]["id"],
str(user.pk))
def test_user_get_own(self):
"""User can get own session."""
email = "*****@*****.**"
password = "******"
user = factories.UserFactory(email=email, password=password)
self.auth(user)
response = self.get(
f"/{self.resource_name}/",
asserted_status=status.HTTP_200_OK,
asserted_schema=self.schema.get_matcher(many=True,
exclude=["token"]),
)
json = response.json()
# check there is one instance in the json
self.assertEqual(len(json["data"]), 1)
session = json["data"][0]
# check parameters are correct
self.assertNotIn("token", session["attributes"])
self.assertEqual(session["relationships"]["user"]["data"]["id"],
str(user.pk))
def test_current_password_correct(self):
"""User cannot change own password without correct current password."""
new_password = "******"
user = factories.UserFactory()
self.auth(user)
data = {
"data":
self.schema.get_data(id=user.id,
current_password="******",
password=new_password)
}
response = self.patch(
f"/{self.resource_name}/{user.pk}/",
data=data,
asserted_status=status.HTTP_400_BAD_REQUEST,
)
json = response.json()
# check has correct error
self.assertHasError(json, "current_password",
"Your current password is incorrect.")
def test_current_password_required(self):
"""User cannot change own password without current password."""
password = "******"
new_password = "******"
user = factories.UserFactory(password=password)
self.auth(user)
data = {
"data": self.schema.get_data(id=user.id, password=new_password)
}
response = self.patch(
f"/{self.resource_name}/{user.pk}/",
data=data,
asserted_status=status.HTTP_400_BAD_REQUEST,
)
json = response.json()
# check has correct error
self.assertHasError(
json,
"current_password",
"This field is required when changing your password.",
)
def test_include_user(self):
"""User cannot be included in compound document."""
email = "*****@*****.**"
password = "******"
factories.UserFactory(email=email, password=password)
data = {"data": self.schema.get_data(email=email, password=password)}
token_json = self.post(f"/{self.resource_name}/", data=data).json()
token = token_json["data"]["attributes"]["token"]
# check the token is valid
self.client.credentials( # pylint: disable=no-member
HTTP_AUTHORIZATION=f"Token {token}")
request = self.get(
f"/{self.resource_name}/?include=user",
asserted_status=status.HTTP_400_BAD_REQUEST,
)
json = request.json()
# check has correct error
self.assertHasError(
json,
"data",
"This endpoint does not support the include parameter for path user",
)
def test_user_patch_password(self):
"""User can change their own password."""
password = "******"
new_password = "******"
user = factories.UserFactory(email="*****@*****.**",
password=password)
self.auth(user)
data = {
"data":
self.schema.get_data(id=user.id,
current_password=password,
password=new_password)
}
self.patch(
f"/{self.resource_name}/{user.pk}/",
data=data,
asserted_status=status.HTTP_200_OK,
asserted_schema=self.schema.get_matcher(),
)
# check password was successfully updated
user.refresh_from_db()
self.assertTrue(user.check_password(new_password))
def test_user_delete_other(self):
"""User cannot delete other user."""
user = factories.UserFactory()
self.auth(user)
self.test_anon_delete()
def test_uwp_delete_other(self):
"""User with perms cannot delete other user."""
user = factories.UserFactory(permission_codes=["users.delete_user"])
self.auth(user)
self.test_anon_delete()
def test_uwp_create(self):
"""Users with perms can create users."""
user = factories.UserFactory(permission_codes=["users.add_user"])
self.auth(user)
self.test_anon_create()