fixed regression introduced

2021-02-02 11:46:43 +00:00
parent ec584b7aab
commit c8d433c3f9
20 changed files with 377 additions and 237 deletions
--- a/core/tests.py
+++ b/core/tests.py
@@ -15,7 +15,6 @@ from . import models
 from . import factories
 # Create your tests here.

-
 class CustomUserViewSetTest(APITestCase):
    """CustomUser viewset tests
    """
@@ -26,20 +25,24 @@ class CustomUserViewSetTest(APITestCase):
        self.endpoint = '/api/v1/users/'
        self.factory = factories.CustomUserFactory
        self.model = models.CustomUser
+        # create admin user
+        self.admin_email = f"admin_user@mail.com"
+        self.password = ''.join(random.choices(string.ascii_uppercase, k = 10))
+        self.user = self.factory(email=self.admin_email, password=self.password, is_active=True)
        # create regular user
-        self.reg_email = f"user@mail.com"
+        self.reg_email = f"regular_user@mail.com"
        self.password = ''.join(random.choices(string.ascii_uppercase, k = 10))
        self.user = self.factory(email=self.reg_email, password=self.password, is_active=True)

    # anon user
    def test_anon_user_can_create_inactive_instance(self):
        """Not logged-in user can create new instance of User but it's inactive
+            TODO: should create inactive user
        """
        data = {
            'email': 'test@email.com',
            'full_name': 'TEST NAME',
            'password': 'VENTILADORES1234499.89',
-            'provider': 'TWITTER',
        }

        # Query endpoint
@@ -47,11 +50,6 @@ class CustomUserViewSetTest(APITestCase):

        # Assert creation is successful
        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
-        # check for new user instance created
-        self.assertEquals(1, self.model.objects.filter(email=data['email']).count())
-        # assert password has been set
-        new_user =  self.model.objects.get(email=data['email'])
-        self.assertNotEqual('', new_user.password)
        # assert instance is inactive
        info = json.loads(response.content)
        self.assertFalse(info['is_active'])
@@ -106,40 +104,6 @@ class CustomUserViewSetTest(APITestCase):
        # Assert access is forbidden
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

-    def test_regular_user_can_modify_own_instance(self):
-        """Regular user can modify own instance
-        """
-        # Create instance
-        data = {
-            "email": "new_email@mail.com",
-            "full_name": "New Full Name",
-            "password": "SUPERSECRETNEWPASSWORD",
-        }
-
-        # Authenticate
-        token = get_tokens_for_user(self.user)
-        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")
-
-        # Query endpoint
-        url = self.endpoint + f'{self.user.pk}/'
-        response = self.client.put(url, data=data, format='json')
-
-        # Assert forbidden code
-        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
-
-        # assert new password hash properly updated
-        # assert fields exist, and data matches
-        updated_user = self.model.objects.get(pk=self.user.id)
-        stored_value = updated_user.__dict__['password']
-        hash_type, iteration, salt, stored_password_hash = stored_value.split('$')
-        new_password_hash = hashlib.pbkdf2_hmac(
-                hash_name='sha256',
-                password=data['password'].encode(),
-                salt=salt.encode(),
-                iterations=int(iteration),
-                )
-        self.assertEqual(stored_password_hash, base64.b64encode(new_password_hash).decode())
-
    def test_regular_user_cannot_modify_existing_instance(self):
        """Regular user cannot modify existing instance
        """
@@ -188,25 +152,6 @@ class CustomUserViewSetTest(APITestCase):
        # Assert access is forbidden
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)

-    def test_user_update_password(self):
-        '''Test the modification of PASSWORD field value for an instance of User '''
-        # modify values of alert instance
-        new_password = "updated_super secret password"
-        self.user.set_password(new_password)
-        self.user.save()
-        # get updated intance using PK
-        updated_user = self.model.objects.get(pk=self.user.pk)
-        # assert fields exist, and data matches
-        stored_value = updated_user.__dict__['password']
-        hash_type, iteration, salt, stored_password_hash = stored_value.split('$')
-        new_password_hash = hashlib.pbkdf2_hmac(
-                hash_name='sha256',
-                password=new_password.encode(),
-                salt=salt.encode(),
-                iterations=int(iteration),
-                )
-        self.assertEqual(stored_password_hash, base64.b64encode(new_password_hash).decode())
-
    # admin user
    def test_admin_user_can_create_instance(self):
        """Admin user can create new instance
@@ -288,3 +233,146 @@ class CustomUserViewSetTest(APITestCase):
        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
        # Assert instance doesn't exists anymore on db
        self.assertFalse(self.model.objects.filter(id=instance.pk).exists())
+
+
+class ChangeUserPasswordViewTest(APITestCase):
+
+    def setUp(self):
+        """Tests setup
+        """
+        self.endpoint = '/api/v1/user/update/'
+        self.factory = factories.CustomUserFactory
+        self.model = models.CustomUser
+        # create regular user
+        self.reg_email = f"user@mail.com"
+        self.password = ''.join(random.choices(string.ascii_uppercase, k = 10))
+        self.user = self.factory(email=self.reg_email, is_active=True)
+        self.user.set_password(self.password)
+        self.user.save()
+
+    def test_fail_different_passwords(self):
+        # Create instance
+        data = {
+            "old_password": self.password,
+            "password": "!!!",
+            "password2": "SUPERSECRETNEWPASSWORD",
+        }
+
+        # Authenticate
+        token = get_tokens_for_user(self.user)
+        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")
+
+        # Query endpoint
+        url = f'/api/v1/user/change_password/{self.user.pk}/'
+        response = self.client.put(url, data=data, format='json')
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+    def test_fail_wrong_old_password(self):
+        # Create instance
+        data = {
+            "old_password": 'WRONG!!!!',
+            "password": 'SUPERSECRETNEWPASSWORD',
+            "password2": "SUPERSECRETNEWPASSWORD",
+        }
+
+        # Authenticate
+        token = get_tokens_for_user(self.user)
+        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")
+
+        # Query endpoint
+        url = f'/api/v1/user/change_password/{self.user.pk}/'
+        response = self.client.put(url, data=data, format='json')
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+
+    def test_auth_user_can_modify_own_password(self):
+        """authenticated user can modify own password
+        """
+        data = {
+            "old_password": self.password,
+            "password": "SUPERSECRETNEWPASSWORD",
+            "password2": "SUPERSECRETNEWPASSWORD",
+        }
+
+        # Authenticate
+        token = get_tokens_for_user(self.user)
+        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")
+
+        # Query endpoint
+        url = f'/api/v1/user/change_password/{self.user.pk}/'
+        response = self.client.put(url, data=data, format='json')
+        # Assert forbidden code
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        # assert new password hash properly updated
+        # assert fields exist, and data matches
+        updated_user = self.model.objects.get(pk=self.user.id)
+        stored_value = updated_user.__dict__['password']
+        hash_type, iteration, salt, stored_password_hash = stored_value.split('$')
+        new_password_hash = hashlib.pbkdf2_hmac(
+                hash_name='sha256',
+                password=data['password'].encode(),
+                salt=salt.encode(),
+                iterations=int(iteration),
+                )
+        self.assertEqual(stored_password_hash, base64.b64encode(new_password_hash).decode())
+
+
+class UpdateUserViewTest(APITestCase):
+
+    def setUp(self):
+        """Tests setup
+        """
+        self.endpoint = '/api/v1/user/change_password/'
+        self.factory = factories.CustomUserFactory
+        self.model = models.CustomUser
+        # create regular user
+        self.reg_email = f"user@mail.com"
+        self.password = ''.join(random.choices(string.ascii_uppercase, k = 10))
+        self.user = self.factory(email=self.reg_email, is_active=True)
+        self.user.set_password(self.password)
+        self.user.save()
+
+    def test_auth_user_can_modify_own_instance(self):
+        """Regular user can modify own instance
+        """
+        # Create instance
+        data = {
+            "email": "new_email@mail.com",
+            "full_name": "New Full Name",
+            'provider': 'PROVIDER',
+        }
+
+        # Authenticate
+        token = get_tokens_for_user(self.user)
+        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")
+
+        # Query endpoint
+        url = f'/api/v1/user/update/{self.user.pk}/'
+        response = self.client.put(url, data=data, format='json')
+        # Assert forbidden code
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+    def test_auth_user_cannot_modify_random_instance(self):
+        """Regular user can modify own instance
+        """
+        # Create instance
+        instance = self.factory()
+        data = {
+            "email": "new_email@mail.com",
+            "full_name": "New Full Name",
+            'provider': 'PROVIDER',
+        }
+
+        # Authenticate
+        token = get_tokens_for_user(self.user)
+        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")
+
+        # Query endpoint
+        url = f'/api/v1/user/update/{instance.pk}/'
+        response = self.client.put(url, data=data, format='json')
+        # Assert forbidden code
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+