def test_creating_new_unqualified_users_without_edit_qualifications( client, app, test_user, auth): with app.app_context(): user = User.query.get(1) user.edit_qualifications = False db.session.commit() auth.login("test") test_user.update({ "username": "******", "password": "******", "edit_qualifications": False, "qualifications": [], }) response = client.post("/api/v1/users", json=test_user) assert response.status_code == 200 assert response.is_json assert response.json["username"] == "a_new_user" assert response.json["qualifications"] == [] assert not response.json["edit_qualifications"] assert "password" not in response.json with app.app_context(): assert count_users_with_name(test_user["username"]) == 1 assert is_password_correct(test_user["username"], test_user["password"])
def test_create_user_command(runner, app): result = runner.invoke(args=[ "create-user", "--username", "test2", "--password", "123456", "--create-users", "no", "--update-users=1", "--edit-qualifications", "false", "--create-items=0", "--manage-checkouts=1", ]) assert "Created user" in result.output with app.app_context(): user = User.query.filter_by(username="******").first() assert user is not None assert is_password_correct("test2", "123456") assert not user.create_users assert user.update_users assert not user.edit_qualifications assert not user.create_items assert user.manage_checkouts
def test_updating_user_permissions_subset(client, app, test_user, auth): with app.app_context(): user = User.query.get(1) user.edit_qualifications = False db.session.commit() auth.login("test") test_user.update({ "password": "******", "edit_qualifications": False, "update_users": False, }) response = client.put("/api/v1/users/1", json=test_user) assert response.status_code == 200 assert response.is_json assert response.json["username"] == "test" assert response.json["qualifications"] == [{ "id": 1, "name": "Driver's License" }] assert not response.json["update_users"] assert not response.json["edit_qualifications"] assert "password" not in response.json with app.app_context(): user = User.query.get(1) assert not user.edit_qualifications assert not user.update_users assert is_password_correct(test_user["username"], test_user["password"])
def test_updating_user_unauthenticated(client, app, test_user): test_user["password"] = "******" response = client.put("/api/v1/users/1", json=test_user) assert response.status_code == 403 assert response.is_json assert response.json["reason"] == "authentication_required" with app.app_context(): assert count_users_with_name(test_user["username"]) == 1 assert not is_password_correct(test_user["username"], test_user["password"])
def test_creating_existing_user(client, app, test_user, auth): auth.login("test") test_user.update({"password": "******"}) response = client.post("/api/v1/users", json=test_user) assert response.status_code == 400 assert response.is_json assert response.json["reason"] == "user_exists" with app.app_context(): assert count_users_with_name(test_user["username"]) == 1 assert not is_password_correct(test_user["username"], test_user["password"])
def test_updating_user_with_insufficient_permissions(client, app, test_user, auth): auth.login("min_permissions_user") test_user["password"] = "******" response = client.put("/api/v1/users/1", json=test_user) assert response.status_code == 403 assert response.is_json assert response.json["reason"] == "insufficient_permissions" with app.app_context(): assert count_users_with_name(test_user["username"]) == 1 assert not is_password_correct(test_user["username"], test_user["password"])
def test_handle_registration_with_valid_toke(client, app): response = client.post( "/api/v1/registration/valid", json={"username": "******", "password": "******", "repeat_password": "******"}, ) assert response.status_code == 200 assert response.is_json assert response.json["success"] with app.app_context(): assert User.query.filter_by(username="******").count() == 1 assert RegistrationToken.query.filter_by(token="valid").count() == 0 assert is_password_correct("new_user", "abc")
def test_handle_registration_with_existing_user(client, app): response = client.post( "/api/v1/registration/valid", json={"username": "******", "password": "******", "repeat_password": "******"}, ) # Need to return the same as with new user to avoid user enumeration assert response.status_code == 200 assert response.is_json assert response.json["success"] with app.app_context(): assert User.query.filter_by(username="******").count() == 1 assert RegistrationToken.query.filter_by(token="valid").count() == 0 assert not is_password_correct("test", "abc")
def test_updating_user_permissions_not_subset(client, app, test_user, auth): with app.app_context(): user = User.query.get(1) user.edit_qualifications = False db.session.commit() auth.login("test") test_user.update({"password": "******"}) response = client.put("/api/v1/users/1", json=test_user) assert response.status_code == 403 assert response.is_json assert response.json["reason"] == "permissions_not_subset" with app.app_context(): user = User.query.get(1) assert not user.edit_qualifications assert not is_password_correct(test_user["username"], test_user["password"])
def test_updating_user_except_password(client, app, test_user, auth): auth.login("test") test_user["username"] = "******" del test_user["password"] response = client.put("/api/v1/users/1", json=test_user) assert response.status_code == 200 assert response.is_json assert response.json["username"] == "test_1" assert response.json["qualifications"] == [{ "id": 1, "name": "Driver's License" }] assert response.json["update_users"] assert "password" not in response.json with app.app_context(): assert count_users_with_name("test") == 0 assert count_users_with_name(test_user["username"]) == 1 assert is_password_correct(test_user["username"], "test")
def test_creating_new_users(client, app, test_user, auth): auth.login("test") test_user.update({"username": "******", "password": "******"}) response = client.post("/api/v1/users", json=test_user) assert response.status_code == 200 assert response.is_json assert response.json["username"] == "a_new_user" assert response.json["qualifications"] == [{ "id": 1, "name": "Driver's License" }] assert response.json["update_users"] assert "password" not in response.json with app.app_context(): assert count_users_with_name(test_user["username"]) == 1 assert is_password_correct(test_user["username"], test_user["password"]) user = User.query.filter_by(username=test_user["username"]).first() assert user.qualifications[0].id == 1 assert user.qualifications[0].name == "Driver's License"
def test_update_self_password(client, app, auth): auth.login("min_permissions_user") response = client.put( "/api/v1/users/me", json={ "id": 2, "username": "******", "password": "******", "create_users": False, "update_users": False, "edit_qualifications": False, "create_items": False, "manage_checkouts": False, "qualifications": [], }, ) assert response.status_code == 200 assert response.is_json assert response.json["username"] == "min_permissions_user" assert "password" not in response.json with app.app_context(): assert is_password_correct("min_permissions_user", "a_new_password")