diff --git a/kfet/auth/tests.py b/kfet/auth/tests.py index 32e04812..a7a0b5ad 100644 --- a/kfet/auth/tests.py +++ b/kfet/auth/tests.py @@ -284,7 +284,11 @@ class TemporaryAuthTests(TestCase): self.perm = Permission.objects.get( content_type__app_label="kfet", codename="is_team" ) - self.user2.user_permissions.add(self.perm) + self.perm2 = Permission.objects.get( + content_type__app_label="kfet", codename="can_force_close" + ) + self.user1.user_permissions.add(self.perm) + self.user2.user_permissions.add(self.perm, self.perm2) def test_context_processor(self): """ @@ -295,7 +299,7 @@ class TemporaryAuthTests(TestCase): r = self.client.post("/k-fet/accounts/000/edit", HTTP_KFETPASSWORD="kfet_user2") self.assertEqual(r.context["user"], self.user1) - self.assertNotIn("kfet.is_team", r.context["perms"]) + self.assertNotIn("kfet.can_force_close", r.context["perms"]) def test_auth_not_persistent(self): """ diff --git a/kfet/forms.py b/kfet/forms.py index 019a8e41..b9adbc81 100644 --- a/kfet/forms.py +++ b/kfet/forms.py @@ -112,7 +112,7 @@ class AccountPwdForm(forms.Form): def save(self, commit=True): password = self.cleaned_data["pwd1"] - self.account.set_password(password) + self.account.change_pwd(password) if commit: self.account.save() diff --git a/kfet/tests/test_views.py b/kfet/tests/test_views.py index 40b9ef77..bc50b023 100644 --- a/kfet/tests/test_views.py +++ b/kfet/tests/test_views.py @@ -11,6 +11,7 @@ from django.utils import timezone from .. import KFET_DELETED_TRIGRAMME from ..auth import KFET_GENERIC_TRIGRAMME from ..auth.models import KFetGroup +from ..auth.utils import hash_password from ..config import kfet_config from ..models import ( Account, @@ -296,8 +297,8 @@ class AccountReadViewTests(ViewTestCaseMixin, TestCase): class AccountUpdateViewTests(ViewTestCaseMixin, TestCase): url_name = "kfet.account.update" - url_kwargs = {"trigramme": "001"} - url_expected = "/k-fet/accounts/001/edit" + url_kwargs = {"trigramme": "100"} + url_expected = "/k-fet/accounts/100/edit" http_methods = ["GET", "POST"] @@ -317,26 +318,16 @@ class AccountUpdateViewTests(ViewTestCaseMixin, TestCase): "promo": "", # 'is_frozen': not checked # Account password - "pwd1": "", - "pwd2": "", + "pwd1": "changed_pwd", + "pwd2": "changed_pwd", } def get_users_extra(self): return { - "user1": create_user("user1", "001"), "team1": create_team("team1", "101", perms=["kfet.change_account"]), + "team2": create_team("team2", "102"), } - # Users with forbidden access users should get a 404 here, to avoid leaking trigrams - # See issue #224 - def test_forbidden(self): - for method in ["get", "post"]: - for user in self.auth_forbidden: - self.assertRedirectsToLoginOr404(user, method, self.url_expected) - self.assertRedirectsToLoginOr404( - user, method, "/k-fet/accounts/NEX/edit" - ) - def assertRedirectsToLoginOr404(self, user, method, url): client = Client() meth = getattr(client, method) @@ -356,46 +347,55 @@ class AccountUpdateViewTests(ViewTestCaseMixin, TestCase): r = self.client.get(self.url) self.assertEqual(r.status_code, 200) - def test_get_ok_self(self): - client = Client() - client.login(username="user1", password="user1") - r = client.get(self.url) - self.assertEqual(r.status_code, 200) - def test_post_ok(self): client = Client() client.login(username="team1", password="team1") - r = client.post(self.url, self.post_data) + r = client.post(self.url, self.post_data, follow=True) self.assertRedirects(r, reverse("kfet.account.read", args=["051"])) - self.accounts["user1"].refresh_from_db() - self.users["user1"].refresh_from_db() + # Comportement attendu : compte modifié, + # utilisateur/mdp inchangé, warning pour le mdp + + self.accounts["team"].refresh_from_db() + self.users["team"].refresh_from_db() self.assertInstanceExpected( - self.accounts["user1"], - {"first_name": "first", "last_name": "last", "trigramme": "051"}, + self.accounts["team"], + {"first_name": "team", "last_name": "member", "trigramme": "051"}, + ) + self.assertEqual(self.accounts["team"].password, hash_password("kfetpwd_team")) + + self.assertTrue( + any("mot de passe" in str(msg).casefold() for msg in r.context["messages"]) ) def test_post_ok_self(self): - client = Client() - client.login(username="user1", password="user1") + r = self.client.post(self.url, self.post_data, follow=True) + self.assertRedirects(r, reverse("kfet.account.read", args=["051"])) - post_data = {"first_name": "The first", "last_name": "The last"} + self.accounts["team"].refresh_from_db() + self.users["team"].refresh_from_db() - r = client.post(self.url, post_data) - self.assertRedirects(r, reverse("kfet.account.read", args=["001"])) - - self.accounts["user1"].refresh_from_db() - self.users["user1"].refresh_from_db() + # Comportement attendu : compte/mdp modifié, utilisateur inchangé self.assertInstanceExpected( - self.accounts["user1"], {"first_name": "first", "last_name": "last"} + self.accounts["team"], + {"first_name": "team", "last_name": "member", "trigramme": "051"}, ) + self.assertEqual(self.accounts["team"].password, hash_password("changed_pwd")) def test_post_forbidden(self): - r = self.client.post(self.url, self.post_data) - self.assertForbiddenKfet(r) + client = Client() + client.login(username="team2", password="team2") + r = client.post(self.url, self.post_data) + + self.assertTrue( + any( + "permission refusée" in str(msg).casefold() + for msg in r.context["messages"] + ) + ) class AccountDeleteViewTests(ViewTestCaseMixin, TestCase):