# retoor import time import pytest import requests from tests.conftest import BASE_URL from devplacepy.database import get_table, refresh_snapshot, set_setting JSON = {"Accept": "application/json"} _counter_rav = [0] @pytest.fixture(scope="module", autouse=True) def _settings(app_server): set_setting("rate_limit_per_minute", "1000000") set_setting("registration_open", "1") yield def _member(): _counter_rav[0] += 1 name = f"rav{int(time.time() * 1000)}{_counter_rav[0]}" requests.post( f"{BASE_URL}/auth/signup", data={ "username": name, "email": f"{name}@t.dev", "password": "secret123", "confirm_password": "secret123", }, allow_redirects=True, ) refresh_snapshot() user = get_table("users").find_one(username=name) return name, user["uid"], user["api_key"] def _admin_key(seeded_db): refresh_snapshot() return get_table("users").find_one(username="alice_test")["api_key"] def test_owner_regenerates_avatar(app_server): name, uid, key = _member() r = requests.post( f"{BASE_URL}/profile/{name}/regenerate-avatar", headers={"X-API-KEY": key, **JSON}, ) assert r.status_code == 200, r.text[:200] body = r.json()["data"] seed = body["avatar_seed"] assert seed assert body["url"] == f"/profile/{name}" assert body["avatar_url"] == f"/avatar/multiavatar/{seed}?size=80" refresh_snapshot() assert get_table("users").find_one(uid=uid)["avatar_seed"] == seed def test_regenerate_changes_seed(app_server): name, uid, key = _member() first = requests.post( f"{BASE_URL}/profile/{name}/regenerate-avatar", headers={"X-API-KEY": key, **JSON}, ).json()["data"]["avatar_seed"] second = requests.post( f"{BASE_URL}/profile/{name}/regenerate-avatar", headers={"X-API-KEY": key, **JSON}, ).json()["data"]["avatar_seed"] assert first != second def test_admin_regenerates_for_other_user(seeded_db): name, uid, key = _member() r = requests.post( f"{BASE_URL}/profile/{name}/regenerate-avatar", headers={"X-API-KEY": _admin_key(seeded_db), **JSON}, ) assert r.status_code == 200, r.text[:200] refresh_snapshot() assert get_table("users").find_one(uid=uid)["avatar_seed"] def test_non_owner_forbidden(app_server): name, uid, key = _member() _, _, other_key = _member() r = requests.post( f"{BASE_URL}/profile/{name}/regenerate-avatar", headers={"X-API-KEY": other_key, **JSON}, ) assert r.status_code == 403 def test_unknown_user_404(app_server): name, uid, key = _member() r = requests.post( f"{BASE_URL}/profile/nobody_xyz_zzz/regenerate-avatar", headers={"X-API-KEY": key, **JSON}, ) assert r.status_code == 404 def test_guest_rejected(app_server): name, uid, key = _member() r = requests.post( f"{BASE_URL}/profile/{name}/regenerate-avatar", headers=JSON, allow_redirects=False, ) assert r.status_code in (401, 303) def test_audit_event_recorded(seeded_db): name, uid, key = _member() requests.post( f"{BASE_URL}/profile/{name}/regenerate-avatar", headers={"X-API-KEY": key, **JSON}, ) admin = requests.Session() admin.headers.update({"X-API-KEY": _admin_key(seeded_db)}) data = admin.get( f"{BASE_URL}/admin/audit-log", headers=JSON, params={"event_key": "profile.avatar.regenerate"}, ).json() assert any(e.get("target_uid") == uid for e in data["entries"])