feat: add logic to prevent edit for some user accounts

mostly for sake of online demo, so a "permanent" demo user can be
established

tests/views/test_auth.py

@@ -80,11 +80,18 @@ class TestAuthView(WebTestCase):
         redirect = view.change_password()
         self.assertIsInstance(redirect, HTTPFound)
 
-        # now "login" the user, and set initial password
-        self.request.user = barney
+        # set initial password
         auth.set_user_password(barney, 'foo')
         self.session.commit()
 
+        # forbidden if prevent_edit is set for user
+        self.request.user = barney
+        barney.prevent_edit = True
+        self.assertRaises(HTTPForbidden, view.change_password)
+
+        # okay let's test with edit allowed
+        barney.prevent_edit = False
+
         # view should now return context w/ form
         context = view.change_password()
         self.assertIn('form', context)

tests/views/test_users.py

@@ -42,6 +42,26 @@ class TestUserView(WebTestCase):
         user.active = False
         self.assertEqual(view.grid_row_class(user, data, 1), 'has-background-warning')
 
+    def test_is_editable(self):
+        model = self.app.model
+        view = self.make_view()
+
+        # active user is editable
+        user = model.User(username='barney', active=True)
+        self.assertTrue(view.is_editable(user))
+
+        # inactive also editable
+        user = model.User(username='barney', active=False)
+        self.assertTrue(view.is_editable(user))
+
+        # but not if prevent_edit flag is set
+        user = model.User(username='barney', prevent_edit=True)
+        self.assertFalse(view.is_editable(user))
+
+        # unless request user is root
+        self.request.is_root = True
+        self.assertTrue(view.is_editable(user))
+
     def test_configure_form(self):
         model = self.app.model
         barney = model.User(username='barney')