From e0c8924384da05d91f67db138fa84f9e0bb280c8 Mon Sep 17 00:00:00 2001 From: Marcin-Ramotowski Date: Thu, 27 Mar 2025 22:36:56 +0000 Subject: [PATCH] Added more cases to user tests to check all access levels --- api/tests/test_users.py | 88 ++++++++++++++++++++++++++++++++++------- 1 file changed, 73 insertions(+), 15 deletions(-) diff --git a/api/tests/test_users.py b/api/tests/test_users.py index da95b80..ae5d645 100644 --- a/api/tests/test_users.py +++ b/api/tests/test_users.py @@ -5,15 +5,36 @@ from werkzeug.security import generate_password_hash def test_create_user(test_client): """New user registration test""" - response = test_client.post( - "/users", - data=json.dumps({"username": "testuser", "email": "test@example.com", "password": "testpass", "role": "User"}), - content_type="application/json", - ) + + # Anonymous try to create common user + test_user_data = {"username": "testuser", "email": "test@example.com", "password": "testpass", "role": "User"} + response = test_client.post("/users", data=json.dumps(test_user_data), content_type="application/json") assert response.status_code == 201 # User should be created successfully data = response.get_json() assert data["username"] == "testuser" + # Anonymous try to create admin user + admin_user_data = {"username": "testadmin", "email": "testadmin@example.com", "password": "adminpass", "role": "Administrator"} + response = test_client.post("/users", data=json.dumps(admin_user_data), content_type="application/json") + assert response.status_code == 401 # Anonymous cannot create admin users + + # Login common user and try to create admin user + access_token = create_access_token(identity='1') + headers = {"Authorization": f"Bearer {access_token}"} + response = test_client.post("/users", data=json.dumps(admin_user_data), content_type="application/json", headers=headers) + assert response.status_code == 403 # Common user cannot create admin users + + # Try to create admin user using admin account + hashed_pass = generate_password_hash("adminpass") + user = User(username="admin", email="admin@example.com", password=hashed_pass, role="Administrator") + db.session.add(user) + db.session.commit() + access_token = create_access_token(identity=str(user.id)) + headers = {"Authorization": f"Bearer {access_token}"} + response = test_client.post("/users", data=json.dumps(admin_user_data), content_type="application/json", headers=headers) + assert response.status_code == 201 # Logged administrators can create new admin users + + def test_login(test_client): """User login test""" hashed_pass = generate_password_hash("testpass") @@ -34,22 +55,59 @@ def test_login(test_client): ) assert response.status_code == 200 # User should be logged - right password -def test_get_users(test_client): - """Get all users test - JWT required""" - response = test_client.get("/users") - assert response.status_code == 401 -def test_get_user_with_token(test_client): - """Test to get user data after auth using JWT token""" - user = User(username="admin", email="admin@example.com", password="hashed_pass", role="Administrator") - print(user.id) +def test_get_users(test_client): + """Get all users test""" + response = test_client.get("/users") + assert response.status_code == 401 # Anonymous cannot get all users data + + # Common user try to get all users data + hashed_pass = generate_password_hash("testpass") + user = User(username="testuser", email="test@example.com", password=hashed_pass, role="User") db.session.add(user) db.session.commit() - access_token = create_access_token(identity=str(user.id)) headers = {"Authorization": f"Bearer {access_token}"} + response = test_client.get("/users", headers=headers) + assert response.status_code == 403 # Common user cannot get all users data + + # Admin user try to get all users data + hashed_pass = generate_password_hash("adminpass") + user = User(username="testadmin", email="testadmin@example.com", password=hashed_pass, role="Administrator") + db.session.add(user) + db.session.commit() + access_token = create_access_token(identity=str(user.id)) + headers = {"Authorization": f"Bearer {access_token}"} + response = test_client.get("/users", headers=headers) + assert response.status_code == 200 # Admin user should can get all users data - response = test_client.get(f"/users/{user.id}", headers=headers) +def test_get_user_with_token(test_client): + """Test to get user data before and after auth using JWT token""" + admin_pass = generate_password_hash("admin_pass") + admin = User(username="admin", email="admin@example.com", password=admin_pass, role="Administrator") + db.session.add(admin) + db.session.commit() + + response = test_client.get(f"/users/{admin.id}") + assert response.status_code == 401 # Try to get user data without login + + access_token = create_access_token(identity=str(admin.id)) + admin_headers = {"Authorization": f"Bearer {access_token}"} + + response = test_client.get(f"/users/{admin.id}", headers=admin_headers) assert response.status_code == 200 data = response.get_json() assert data["username"] == "admin" + + user_pass = generate_password_hash("test_pass") + user = User(username="testuser", email="test@example.com", password=user_pass, role="User") + db.session.add(user) + db.session.commit() + access_token = create_access_token(identity=str(user.id)) + headers = {"Authorization": f"Bearer {access_token}"} + response = test_client.get(f"/users/{user.id}", headers=headers) + assert response.status_code == 200 # Common user can get own user data + response = test_client.get(f"/users/{admin.id}", headers=headers) + assert response.status_code == 403 # Common user cannot get other user data + response = test_client.get(f"/users/{user.id}", headers=admin_headers) + assert response.status_code == 200 # Admin can access all user data