class TestUserJoin(APITestCase):
"""Test User.join_group"""
def _fixture_setup(self):
super()._fixture_setup()
# needs auth.change_user
self.api_user.is_superuser = True
self.api_user.save()
self.user = UserFactory(username='******',
email='*****@*****.**')
self.group = GroupFactory(name='test_group')
def test_join_normally(self):
self.rpc_client.User.join_group(self.user.username, self.group.name)
self.user.refresh_from_db()
user_added_to_group = self.user.groups.filter(
name=self.group.name).exists()
self.assertTrue(user_added_to_group, 'User should be added to group.')
def test_join_nonexistent_user(self):
with self.assertRaisesRegex(XmlRPCFault,
"User matching query does not exist"):
self.rpc_client.User.join_group('nonexistent user',
self.group.name)
def test_join_nonexistent_group(self):
with self.assertRaisesRegex(XmlRPCFault,
"Group matching query does not exist"):
self.rpc_client.User.join_group(self.user.username,
'nonexistent group name')
class TestUserUpdate(APITestCase):
"""Test User.update"""
def _fixture_setup(self):
super()._fixture_setup()
self.another_user = UserFactory()
self.another_user.set_password('another-password')
self.another_user.save()
self.user_new_attrs = {
'first_name': 'new first name',
'last_name': 'new last name',
'email': 'new email',
}
def setUp(self):
super().setUp()
# clear permissions b/c we set them inside individual tests
self.api_user.user_permissions.all().delete()
def tearDown(self):
super().tearDown()
self.api_user.set_password('api-testing')
self.api_user.save()
def test_update_myself(self):
data = self.rpc_client.User.update(self.api_user.pk,
self.user_new_attrs)
self.assertEqual(data['first_name'], self.user_new_attrs['first_name'])
self.assertEqual(data['last_name'], self.user_new_attrs['last_name'])
self.assertEqual(data['email'], self.user_new_attrs['email'])
def test_update_myself_without_passing_id(self):
data = self.rpc_client.User.update(None, self.user_new_attrs)
self.assertEqual(data['first_name'], self.user_new_attrs['first_name'])
self.assertEqual(data['last_name'], self.user_new_attrs['last_name'])
self.assertEqual(data['email'], self.user_new_attrs['email'])
def test_update_other_missing_permission(self):
new_values = {'some_attr': 'xxx'}
with self.assertRaisesRegex(XmlRPCFault, "Permission denied"):
self.rpc_client.User.update(self.another_user.pk, new_values)
def test_update_other_with_proper_permission(self):
user_should_have_perm(self.api_user, 'auth.change_user')
data = self.rpc_client.User.update(self.another_user.pk,
self.user_new_attrs)
self.another_user.refresh_from_db()
self.assertEqual(data['first_name'], self.another_user.first_name)
self.assertEqual(data['last_name'], self.another_user.last_name)
self.assertEqual(data['email'], self.another_user.email)
def test_update_own_password(self):
user_new_attrs = self.user_new_attrs.copy()
new_password = '******' # nosec:B105:hardcoded_password_string
user_new_attrs[
'password'] = new_password # nosec:B105:hardcoded_password_string
with self.assertRaisesRegex(XmlRPCFault, 'Old password is required'):
self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
user_new_attrs['old_password'] = '******' # nosec:B105
with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"):
self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
user_new_attrs[
'old_password'] = '******' # nosec:B105:hardcoded_password_string
data = self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
self.assertTrue('password' not in data)
self.assertEqual(data['first_name'], user_new_attrs['first_name'])
self.assertEqual(data['last_name'], user_new_attrs['last_name'])
self.assertEqual(data['email'], user_new_attrs['email'])
self.api_user.refresh_from_db()
self.assertTrue(self.api_user.check_password(new_password))
def test_update_another_user_password(self):
user_should_have_perm(self.api_user, 'auth.change_user')
user_new_attrs = self.user_new_attrs.copy()
user_new_attrs[
'password'] = '******' # nosec:B105:hardcoded_password_string
with self.assertRaisesRegex(
XmlRPCFault,
'Password updates for other users are not allowed via RPC!'):
self.rpc_client.User.update(self.another_user.pk, user_new_attrs)
class TestUserUpdate(APITestCase):
"""Test User.update"""
def _fixture_setup(self):
super()._fixture_setup()
self.another_user = UserFactory()
self.another_user.set_password("another-password")
self.another_user.save()
self.user_new_attrs = {
"first_name": "new first name",
"last_name": "new last name",
"email": "new email",
}
def setUp(self):
super().setUp()
# clear permissions b/c we set them inside individual tests
self.api_user.user_permissions.all().delete()
def tearDown(self):
super().tearDown()
self.api_user.set_password("api-testing")
self.api_user.save()
def test_update_myself(self):
data = self.rpc_client.User.update(self.api_user.pk,
self.user_new_attrs)
self.assertEqual(data["first_name"], self.user_new_attrs["first_name"])
self.assertEqual(data["last_name"], self.user_new_attrs["last_name"])
self.assertEqual(data["email"], self.user_new_attrs["email"])
def test_update_myself_without_passing_id(self):
data = self.rpc_client.User.update(None, self.user_new_attrs)
self.assertEqual(data["first_name"], self.user_new_attrs["first_name"])
self.assertEqual(data["last_name"], self.user_new_attrs["last_name"])
self.assertEqual(data["email"], self.user_new_attrs["email"])
def test_update_other_missing_permission(self):
new_values = {"some_attr": "xxx"}
with self.assertRaisesRegex(XmlRPCFault, "Permission denied"):
self.rpc_client.User.update(self.another_user.pk, new_values)
def test_update_other_with_proper_permission(self):
user_should_have_perm(self.api_user, "auth.change_user")
data = self.rpc_client.User.update(self.another_user.pk,
self.user_new_attrs)
self.another_user.refresh_from_db()
self.assertEqual(data["first_name"], self.another_user.first_name)
self.assertEqual(data["last_name"], self.another_user.last_name)
self.assertEqual(data["email"], self.another_user.email)
def test_update_own_password(self):
user_new_attrs = self.user_new_attrs.copy()
new_password = "******" # nosec:B105:hardcoded_password_string
user_new_attrs["password" # nosec:B105:hardcoded_password_string
] = new_password
with self.assertRaisesRegex(XmlRPCFault, "Old password is required"):
self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
user_new_attrs["old_password"] = "******" # nosec:B105
with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"):
self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
user_new_attrs["old_password" # nosec:B105:hardcoded_password_string
] = "api-testing"
data = self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
self.assertTrue("password" not in data)
self.assertEqual(data["first_name"], user_new_attrs["first_name"])
self.assertEqual(data["last_name"], user_new_attrs["last_name"])
self.assertEqual(data["email"], user_new_attrs["email"])
self.api_user.refresh_from_db()
self.assertTrue(self.api_user.check_password(new_password))
def test_update_another_user_password(self):
user_should_have_perm(self.api_user, "auth.change_user")
user_new_attrs = self.user_new_attrs.copy()
user_new_attrs["password" # nosec:B105:hardcoded_password_string
] = "new password"
with self.assertRaisesRegex(
XmlRPCFault,
"Password updates for other users are not allowed via RPC!"):
self.rpc_client.User.update(self.another_user.pk, user_new_attrs)
