Fix tests

kfet/auth/tests.py

@@ -284,7 +284,11 @@ class TemporaryAuthTests(TestCase):
         self.perm = Permission.objects.get(
             content_type__app_label="kfet", codename="is_team"
         )
-        self.user2.user_permissions.add(self.perm)
+        self.perm2 = Permission.objects.get(
+            content_type__app_label="kfet", codename="can_force_close"
+        )
+        self.user1.user_permissions.add(self.perm)
+        self.user2.user_permissions.add(self.perm, self.perm2)
 
     def test_context_processor(self):
         """
@@ -295,7 +299,7 @@ class TemporaryAuthTests(TestCase):
         r = self.client.post("/k-fet/accounts/000/edit", HTTP_KFETPASSWORD="kfet_user2")
 
         self.assertEqual(r.context["user"], self.user1)
-        self.assertNotIn("kfet.is_team", r.context["perms"])
+        self.assertNotIn("kfet.can_force_close", r.context["perms"])
 
     def test_auth_not_persistent(self):
         """

kfet/forms.py

@@ -112,7 +112,7 @@ class AccountPwdForm(forms.Form):
 
     def save(self, commit=True):
         password = self.cleaned_data["pwd1"]
-        self.account.set_password(password)
+        self.account.change_pwd(password)
         if commit:
             self.account.save()
 

kfet/tests/test_views.py

@@ -11,6 +11,7 @@ from django.utils import timezone
 from .. import KFET_DELETED_TRIGRAMME
 from ..auth import KFET_GENERIC_TRIGRAMME
 from ..auth.models import KFetGroup
+from ..auth.utils import hash_password
 from ..config import kfet_config
 from ..models import (
     Account,
@@ -296,8 +297,8 @@ class AccountReadViewTests(ViewTestCaseMixin, TestCase):
 
 class AccountUpdateViewTests(ViewTestCaseMixin, TestCase):
     url_name = "kfet.account.update"
-    url_kwargs = {"trigramme": "001"}
+    url_kwargs = {"trigramme": "100"}
-    url_expected = "/k-fet/accounts/001/edit"
+    url_expected = "/k-fet/accounts/100/edit"
 
     http_methods = ["GET", "POST"]
 
@@ -317,26 +318,16 @@ class AccountUpdateViewTests(ViewTestCaseMixin, TestCase):
         "promo": "",
         # 'is_frozen': not checked
         # Account password
-        "pwd1": "",
+        "pwd1": "changed_pwd",
-        "pwd2": "",
+        "pwd2": "changed_pwd",
     }
 
     def get_users_extra(self):
         return {
-            "user1": create_user("user1", "001"),
             "team1": create_team("team1", "101", perms=["kfet.change_account"]),
+            "team2": create_team("team2", "102"),
         }
 
-    # Users with forbidden access users should get a 404 here, to avoid leaking trigrams
-    # See issue #224
-    def test_forbidden(self):
-        for method in ["get", "post"]:
-            for user in self.auth_forbidden:
-                self.assertRedirectsToLoginOr404(user, method, self.url_expected)
-                self.assertRedirectsToLoginOr404(
-                    user, method, "/k-fet/accounts/NEX/edit"
-                )
-
     def assertRedirectsToLoginOr404(self, user, method, url):
         client = Client()
         meth = getattr(client, method)
@@ -356,46 +347,55 @@ class AccountUpdateViewTests(ViewTestCaseMixin, TestCase):
         r = self.client.get(self.url)
         self.assertEqual(r.status_code, 200)
 
-    def test_get_ok_self(self):
-        client = Client()
-        client.login(username="user1", password="user1")
-        r = client.get(self.url)
-        self.assertEqual(r.status_code, 200)
-
     def test_post_ok(self):
         client = Client()
         client.login(username="team1", password="team1")
 
-        r = client.post(self.url, self.post_data)
+        r = client.post(self.url, self.post_data, follow=True)
         self.assertRedirects(r, reverse("kfet.account.read", args=["051"]))
 
-        self.accounts["user1"].refresh_from_db()
+        # Comportement attendu : compte modifié,
-        self.users["user1"].refresh_from_db()
+        # utilisateur/mdp inchangé, warning pour le mdp
+
+        self.accounts["team"].refresh_from_db()
+        self.users["team"].refresh_from_db()
 
         self.assertInstanceExpected(
-            self.accounts["user1"],
+            self.accounts["team"],
-            {"first_name": "first", "last_name": "last", "trigramme": "051"},
+            {"first_name": "team", "last_name": "member", "trigramme": "051"},
+        )
+        self.assertEqual(self.accounts["team"].password, hash_password("kfetpwd_team"))
+
+        self.assertTrue(
+            any("mot de passe" in str(msg).casefold() for msg in r.context["messages"])
         )
 
     def test_post_ok_self(self):
-        client = Client()
+        r = self.client.post(self.url, self.post_data, follow=True)
-        client.login(username="user1", password="user1")
+        self.assertRedirects(r, reverse("kfet.account.read", args=["051"]))
 
-        post_data = {"first_name": "The first", "last_name": "The last"}
+        self.accounts["team"].refresh_from_db()
+        self.users["team"].refresh_from_db()
 
-        r = client.post(self.url, post_data)
+        # Comportement attendu : compte/mdp modifié, utilisateur inchangé
-        self.assertRedirects(r, reverse("kfet.account.read", args=["001"]))
-
-        self.accounts["user1"].refresh_from_db()
-        self.users["user1"].refresh_from_db()
 
         self.assertInstanceExpected(
-            self.accounts["user1"], {"first_name": "first", "last_name": "last"}
+            self.accounts["team"],
+            {"first_name": "team", "last_name": "member", "trigramme": "051"},
         )
+        self.assertEqual(self.accounts["team"].password, hash_password("changed_pwd"))
 
     def test_post_forbidden(self):
-        r = self.client.post(self.url, self.post_data)
+        client = Client()
-        self.assertForbiddenKfet(r)
+        client.login(username="team2", password="team2")
+        r = client.post(self.url, self.post_data)
+
+        self.assertTrue(
+            any(
+                "permission refusée" in str(msg).casefold()
+                for msg in r.context["messages"]
+            )
+        )
 
 
 class AccountDeleteViewTests(ViewTestCaseMixin, TestCase):