def test_one_user_group_read_only(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
g = Group(name='usergroup')
g.set_users([u.id])
g.save()
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
f.grant('Read', group=g)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
def test_one_user_group_write_and_publish(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
g = Group(name='usergroup')
g.save()
g.set_users([u.id])
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
f.grant('Write', group=g)
f.grant('Publish', group=g)
f = Feed.get(id=f.id)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [g])
self.assertEqual(f.publisher_groups(), [g])
self.assertTrue(f.user_can_write(u))
self.assertTrue(f.user_can_publish(u))
def test_cannot_change_other_users_password_even_with_their_currpass(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=user2.id),
data={
"action": "update",
"newpass": "******",
"conf_newpass": "******",
"currpass": "******"
},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
self.assertEquals(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.passwordhash, user2.passwordhash)
def test_one_user_group_write_and_publish(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
g = Group(name='usergroup')
g.save()
g.set_users([u.id])
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
f.grant('Write', group=g)
f.grant('Publish', group=g)
f = Feed.get(id=f.id)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [g])
self.assertEqual(f.publisher_groups(), [g])
self.assertTrue(f.user_can_write(u))
self.assertTrue(f.user_can_publish(u))
def test_one_user_group_read_only(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
g = Group(name='usergroup')
g.set_users([u.id])
g.save()
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
f.grant('Read', group=g)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertFalse(f.user_can_publish(u))
def test_user_with_no_perms(self):
u = User(passwordhash='123')
f = Feed()
u.save()
f.save()
self.assertEqual(u.writeable_feeds(), [])
def test_user_with_no_perms(self):
u = User(passwordhash='123')
f = Feed()
u.save()
f.save()
self.assertEqual(u.writeable_feeds(), [])
def test_user_with_one_feed(self):
u = User(passwordhash='123')
f = Feed()
u.save()
f.save()
f.grant('Write', user=u)
self.assertEqual(u.writeable_feeds(), [f])
def test_user_with_one_feed(self):
u = User(passwordhash='123')
f = Feed()
u.save()
f.save()
f.grant('Write', user=u)
self.assertEqual(u.writeable_feeds(), [f])
class BasicUsersTestCase(StreetSignTestCase):
def setUp(self):
super(BasicUsersTestCase, self).setUp()
self.user = User(loginname=USERNAME,
emailaddress='*****@*****.**',
is_admin=False)
self.user.set_password(USERPASS)
self.user.save()
self.admin = User(loginname=ADMINNAME,
emailaddress='*****@*****.**',
is_admin=True)
self.admin.set_password(ADMINPASS)
self.admin.save()
def test_user_with_one_feed_via_group(self):
u = User(passwordhash='123')
g = Group(name='group_with_a_name')
f = Feed()
u.save()
f.save()
g.save()
g.set_users([u.id])
f.grant('Write', group=g)
self.assertEqual(u.writeable_feeds(), [f])
def test_user_with_one_feed_via_group(self):
u = User(passwordhash='123')
g = Group(name='group_with_a_name')
f = Feed()
u.save()
f.save()
g.save()
g.set_users([u.id])
f.grant('Write', group=g)
self.assertEqual(u.writeable_feeds(), [f])
def test_normal_user_cannot_set_other_to_admin(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=user2.id, is_admin=True)
self.assertEqual(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.is_admin, False)
def test_normal_user_cannot_set_other_to_admin(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
resp = self.post_update_request(userid=user2.id, is_admin=True)
self.assertEqual(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.is_admin, False)
class BasicUsersTestCase(StreetSignTestCase):
def setUp(self):
super(BasicUsersTestCase, self).setUp()
self.user = User(loginname=USERNAME,
emailaddress='*****@*****.**',
is_admin=False)
self.user.set_password(USERPASS)
self.user.save()
self.admin = User(loginname=ADMINNAME,
emailaddress='*****@*****.**',
is_admin=True)
self.admin.set_password(ADMINPASS)
self.admin.save()
def test_one_user_publish(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
f.grant('Publish', user=u)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [u])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertTrue(f.user_can_publish(u))
def test_one_user_publish(self):
f = Feed(name='123')
f.save()
u = User(passwordhash='123')
u.save()
f.grant('Publish', user=u)
self.assertEqual(f.authors(), [])
self.assertEqual(f.publishers(), [u])
self.assertEqual(f.author_groups(), [])
self.assertEqual(f.publisher_groups(), [])
self.assertFalse(f.user_can_write(u))
self.assertTrue(f.user_can_publish(u))
def test_cannot_have_matching_usernames(self):
user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password(USERPASS)
user2.save()
# if this get works, then the user exists:
usernow = User.get(loginname="user2")
self.assertEqual(user2.id, usernow.id)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='******', conf_newpass='******')
self.assertIn("Username already exists", resp.data)
# and just make sure we didn't delete them, or set their password...
usernew = User.get(loginname="user2")
self.assertEqual(usernow.passwordhash, usernew.passwordhash)
def test_cannot_have_matching_usernames(self):
user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password(USERPASS)
user2.save()
# if this get works, then the user exists:
usernow = User.get(loginname="user2")
self.assertEqual(user2.id, usernow.id)
self.login(ADMINNAME, ADMINPASS)
resp = self.post_create_request(currpass=ADMINPASS,
newpass='******',
conf_newpass='******')
self.assertIn("Username already exists", resp.data)
# and just make sure we didn't delete them, or set their password...
usernew = User.get(loginname="user2")
self.assertEqual(usernow.passwordhash, usernew.passwordhash)
def test_cannot_change_other_users_password_even_with_their_currpass(self):
user2 = User(loginname="user2",
emailaddress='*****@*****.**',
is_admin=False)
user2.set_password("userpass2")
user2.save()
self.login(USERNAME, USERPASS)
with self.ctx():
resp = self.client.post(url_for('user_edit', userid=user2.id),
data={"action":"update",
"newpass": "******",
"conf_newpass": "******",
"currpass": "******"},
follow_redirects=True)
self.assertIn("Permission Denied", resp.data)
self.assertEquals(resp.status_code, 403)
usernow = User.get(id=user2.id)
self.assertEqual(usernow.passwordhash, user2.passwordhash)
class DeletingUsers(BasicUsersTestCase):
''' Only admin can delete users, and not themselves. '''
def setUp(self):
super(DeletingUsers, self).setUp()
self.user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
self.user2.set_password(USERPASS)
self.user2.save()
def post_delete_request(self, userid=False, **kwargs):
data = {}
data.update(kwargs)
if userid == False:
userid = self.user2.id
with self.ctx():
return self.client.delete(url_for('user_edit', userid=userid),
data=data,
follow_redirects=True)
def test_logged_out_cannot_delete_user(self):
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 403)
User.get(id=self.user2.id)
def test_normal_user_cannot_delete_user(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 403)
User.get(id=self.user2.id)
def test_normal_user_cannot_delete_self(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=self.user.id)
self.assertEqual(resp.status_code, 403)
User.get(id=self.user.id)
def test_normal_user_cannot_delete_admin(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=self.admin.id)
self.assertEqual(resp.status_code, 403)
User.get(id=self.admin.id)
def test_admin_can_delete_user(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 200)
with self.assertRaises(User.DoesNotExist):
User.get(id=self.user2.id)
def test_admin_cannot_delete_self(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request(userid=self.admin.id)
self.assertIn("You cannot delete yourself", resp.data)
User.get(id=self.admin.id)
def test_admin_cannot_delete_nonexistant_user(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request(userid=200)
self.assertEqual(resp.status_code, 404)
def test_normal_user_cannot_delete_nonexistant_user(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=200)
self.assertEqual(resp.status_code, 404)
def when_user_deleted_posts_also_deleted(self):
self.login(ADMINNAME, ADMINPASS)
# TODO
pass
def user_edit(userid=-1):
''' edit one user. Admins can edit any user, but other users
can only edit themselves. if userid is -1, create a new user. '''
try:
current_user = user_session.get_user()
except user_session.NotLoggedIn as e:
flash("Sorry, you're not logged in!")
return permission_denied("You're not logged in!")
userid = int(userid)
if userid != -1:
try:
user = User.get(id=userid)
except User.DoesNotExist:
return not_found(title="User doesn't exist",
message="Sorry, that user does not exist!")
else:
if not current_user.is_admin:
flash('Sorry! Only admins can create new users!')
return permission_denied("Admins only!")
try:
user = User.get(loginname=request.form['loginname'])
return permission_denied("Username already exists!")
except peewee.DoesNotExist:
pass
user = User() #pylint: disable=no-value-for-parameter
if request.method == 'POST':
if current_user != user and not current_user.is_admin:
return permission_denied("Sorry, you may not edit this user.")
update_user(user, request.form, current_user)
# save:
try:
user.save()
if userid == -1:
flash('New user created.')
return redirect(url_for('user_edit', userid=user.id))
else:
flash('Saved')
except peewee.IntegrityError as err:
flash('Cannot Save:' + str(err))
elif request.method == 'DELETE':
if not current_user.is_admin:
return 'Sorry, only admins can delete users', 403
if user.id == current_user.id:
return 'Sorry! You cannot delete yourself!', 403
user.delete_instance(recursive=True)
return 'User: %s deleted. (And all their posts)' % user.displayname
users_posts = Post.select().where(Post.author == user) \
.order_by(Post.write_date.desc()) \
.limit(10)
return render_template('user.html',
allgroups=Group.select(),
posts=users_posts, user=user)
def user_edit(userid=-1):
''' edit one user. Admins can edit any user, but other users
can only edit themselves. if userid is -1, create a new user. '''
try:
current_user = user_session.get_user()
except user_session.NotLoggedIn as e:
flash("Sorry, you're not logged in!")
return permission_denied("You're not logged in!")
userid = int(userid)
if userid != -1:
try:
user = User.get(id=userid)
except User.DoesNotExist:
return not_found(title="User doesn't exist",
message="Sorry, that user does not exist!")
else:
if not current_user.is_admin:
flash('Sorry! Only admins can create new users!')
return permission_denied("Admins only!")
try:
user = User.get(loginname=request.form.get('loginname', ''))
return permission_denied("Username already exists!")
except peewee.DoesNotExist:
pass
user = User() #pylint: disable=no-value-for-parameter
if request.method == 'POST':
if current_user != user and not current_user.is_admin:
return permission_denied("Sorry, you may not edit this user.")
update_user(user, request.form, current_user)
# save:
try:
user.save()
if userid == -1:
flash('New user created.')
return redirect(url_for('user_edit', userid=user.id))
else:
flash('Saved')
except peewee.IntegrityError as err:
flash('Cannot Save:' + str(err))
elif request.method == 'DELETE':
if not current_user.is_admin:
return 'Sorry, only admins can delete users', 403
if user.id == current_user.id:
return 'Sorry! You cannot delete yourself!', 403
user.delete_instance(recursive=True)
return 'User: %s deleted. (And all their posts)' % user.displayname
users_posts = Post.select().where(Post.author == user) \
.order_by(Post.write_date.desc()) \
.limit(10)
return render_template('user.html',
allgroups=Group.select(),
posts=users_posts,
user=user)
class DeletingUsers(BasicUsersTestCase):
''' Only admin can delete users, and not themselves. '''
def setUp(self):
super(DeletingUsers, self).setUp()
self.user2 = User(loginname='user2',
emailaddress='*****@*****.**',
is_admin=False)
self.user2.set_password(USERPASS)
self.user2.save()
def post_delete_request(self, userid=False, **kwargs):
data = {}
data.update(kwargs)
if userid == False:
userid = self.user2.id
with self.ctx():
return self.client.delete(url_for('user_edit', userid=userid),
data=data,
follow_redirects=True)
def test_logged_out_cannot_delete_user(self):
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 403)
User.get(id=self.user2.id)
def test_normal_user_cannot_delete_user(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 403)
User.get(id=self.user2.id)
def test_normal_user_cannot_delete_self(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=self.user.id)
self.assertEqual(resp.status_code, 403)
User.get(id=self.user.id)
def test_normal_user_cannot_delete_admin(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=self.admin.id)
self.assertEqual(resp.status_code, 403)
User.get(id=self.admin.id)
def test_admin_can_delete_user(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request()
self.assertEqual(resp.status_code, 200)
with self.assertRaises(User.DoesNotExist):
User.get(id=self.user2.id)
def test_admin_cannot_delete_self(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request(userid=self.admin.id)
self.assertIn("You cannot delete yourself", resp.data)
User.get(id=self.admin.id)
def test_admin_cannot_delete_nonexistant_user(self):
self.login(ADMINNAME, ADMINPASS)
resp = self.post_delete_request(userid=200)
self.assertEqual(resp.status_code, 404)
def test_normal_user_cannot_delete_nonexistant_user(self):
self.login(USERNAME, USERPASS)
resp = self.post_delete_request(userid=200)
self.assertEqual(resp.status_code, 404)
def when_user_deleted_posts_also_deleted(self):
self.login(ADMINNAME, ADMINPASS)
# TODO
pass