feat: add support for admin user to become / stop being root

2024-08-05 14:21:54 -05:00 · 2024-08-05 14:21:54 -05:00 · fc339ba81b
commit fc339ba81b
parent a2ba88ca8f
9 changed files with 335 additions and 22 deletions
--- a/tests/views/test_auth.py
+++ b/tests/views/test_auth.py
@ -4,11 +4,12 @@ from unittest import TestCase
 from unittest.mock import MagicMock

 from pyramid import testing
-from pyramid.httpexceptions import HTTPFound
+from pyramid.httpexceptions import HTTPFound, HTTPForbidden

 from wuttjamaican.conf import WuttaConfig
 from wuttaweb.views import auth as mod
 from wuttaweb.auth import WuttaSecurityPolicy
+from wuttaweb.subscribers import new_request


 class TestAuthView(TestCase):
@ -19,7 +20,9 @@ class TestAuthView(TestCase):
        })

        self.request = testing.DummyRequest(wutta_config=self.config, user=None)
-        self.pyramid_config = testing.setUp(request=self.request)
+        self.pyramid_config = testing.setUp(request=self.request, settings={
+            'wutta_config': self.config,
+        })

        self.app = self.config.get_app()
        auth = self.app.get_auth_handler()
@ -142,3 +145,46 @@ class TestAuthView(TestCase):
        self.assertIn('form', context)
        dform = context['form'].get_deform()
        self.assertEqual(dform['new_password'].errormsg, "New password must be different from old password.")
+
+    def test_become_root(self):
+        event = MagicMock(request=self.request)
+        new_request(event)      # add request.get_referrer()
+        view = mod.AuthView(self.request)
+
+        # GET not allowed
+        self.request.method = 'GET'
+        self.assertRaises(HTTPForbidden, view.become_root)
+
+        # non-admin users also not allowed
+        self.request.method = 'POST'
+        self.request.is_admin = False
+        self.assertRaises(HTTPForbidden, view.become_root)
+
+        # but admin users can become root
+        self.request.is_admin = True
+        self.assertNotIn('is_root', self.request.session)
+        redirect = view.become_root()
+        self.assertIsInstance(redirect, HTTPFound)
+        self.assertTrue(self.request.session['is_root'])
+
+    def test_stop_root(self):
+        event = MagicMock(request=self.request)
+        new_request(event)      # add request.get_referrer()
+        view = mod.AuthView(self.request)
+
+        # GET not allowed
+        self.request.method = 'GET'
+        self.assertRaises(HTTPForbidden, view.stop_root)
+
+        # non-admin users also not allowed
+        self.request.method = 'POST'
+        self.request.is_admin = False
+        self.assertRaises(HTTPForbidden, view.stop_root)
+
+        # but admin users can stop being root
+        # (nb. there is no check whether user is currently root)
+        self.request.is_admin = True
+        self.assertNotIn('is_root', self.request.session)
+        redirect = view.stop_root()
+        self.assertIsInstance(redirect, HTTPFound)
+        self.assertFalse(self.request.session['is_root'])
--- a/tests/views/test_base.py
+++ b/tests/views/test_base.py
@ -3,7 +3,7 @@
 from unittest import TestCase

 from pyramid import testing
-from pyramid.httpexceptions import HTTPFound
+from pyramid.httpexceptions import HTTPFound, HTTPForbidden

 from wuttjamaican.conf import WuttaConfig
 from wuttaweb.views import base
@ -23,6 +23,10 @@ class TestView(TestCase):
        self.assertIs(self.view.config, self.config)
        self.assertIs(self.view.app, self.app)

+    def test_forbidden(self):
+        error = self.view.forbidden()
+        self.assertIsInstance(error, HTTPForbidden)
+
    def test_make_form(self):
        form = self.view.make_form()
        self.assertIsInstance(form, Form)