|
# retoor <retoor@molodetz.nl>
|
|
|
|
import time
|
|
import pytest
|
|
import requests
|
|
from tests.conftest import BASE_URL
|
|
from devplacepy.database import get_table, refresh_snapshot, set_setting
|
|
|
|
JSON = {"Accept": "application/json"}
|
|
_counter_rav = [0]
|
|
|
|
|
|
@pytest.fixture(scope="module", autouse=True)
|
|
def _settings(app_server):
|
|
set_setting("rate_limit_per_minute", "1000000")
|
|
set_setting("registration_open", "1")
|
|
yield
|
|
|
|
|
|
def _member():
|
|
_counter_rav[0] += 1
|
|
name = f"rav{int(time.time() * 1000)}{_counter_rav[0]}"
|
|
requests.post(
|
|
f"{BASE_URL}/auth/signup",
|
|
data={
|
|
"username": name,
|
|
"email": f"{name}@t.dev",
|
|
"password": "secret123",
|
|
"confirm_password": "secret123",
|
|
},
|
|
allow_redirects=True,
|
|
)
|
|
refresh_snapshot()
|
|
user = get_table("users").find_one(username=name)
|
|
return name, user["uid"], user["api_key"]
|
|
|
|
|
|
def _admin_key(seeded_db):
|
|
refresh_snapshot()
|
|
return get_table("users").find_one(username="alice_test")["api_key"]
|
|
|
|
|
|
def test_owner_regenerates_avatar(app_server):
|
|
name, uid, key = _member()
|
|
r = requests.post(
|
|
f"{BASE_URL}/profile/{name}/regenerate-avatar",
|
|
headers={"X-API-KEY": key, **JSON},
|
|
)
|
|
assert r.status_code == 200, r.text[:200]
|
|
body = r.json()["data"]
|
|
seed = body["avatar_seed"]
|
|
assert seed
|
|
assert body["url"] == f"/profile/{name}"
|
|
assert body["avatar_url"] == f"/avatar/multiavatar/{seed}?size=80"
|
|
refresh_snapshot()
|
|
assert get_table("users").find_one(uid=uid)["avatar_seed"] == seed
|
|
|
|
|
|
def test_regenerate_changes_seed(app_server):
|
|
name, uid, key = _member()
|
|
first = requests.post(
|
|
f"{BASE_URL}/profile/{name}/regenerate-avatar",
|
|
headers={"X-API-KEY": key, **JSON},
|
|
).json()["data"]["avatar_seed"]
|
|
second = requests.post(
|
|
f"{BASE_URL}/profile/{name}/regenerate-avatar",
|
|
headers={"X-API-KEY": key, **JSON},
|
|
).json()["data"]["avatar_seed"]
|
|
assert first != second
|
|
|
|
|
|
def test_admin_regenerates_for_other_user(seeded_db):
|
|
name, uid, key = _member()
|
|
r = requests.post(
|
|
f"{BASE_URL}/profile/{name}/regenerate-avatar",
|
|
headers={"X-API-KEY": _admin_key(seeded_db), **JSON},
|
|
)
|
|
assert r.status_code == 200, r.text[:200]
|
|
refresh_snapshot()
|
|
assert get_table("users").find_one(uid=uid)["avatar_seed"]
|
|
|
|
|
|
def test_non_owner_forbidden(app_server):
|
|
name, uid, key = _member()
|
|
_, _, other_key = _member()
|
|
r = requests.post(
|
|
f"{BASE_URL}/profile/{name}/regenerate-avatar",
|
|
headers={"X-API-KEY": other_key, **JSON},
|
|
)
|
|
assert r.status_code == 403
|
|
|
|
|
|
def test_unknown_user_404(app_server):
|
|
name, uid, key = _member()
|
|
r = requests.post(
|
|
f"{BASE_URL}/profile/nobody_xyz_zzz/regenerate-avatar",
|
|
headers={"X-API-KEY": key, **JSON},
|
|
)
|
|
assert r.status_code == 404
|
|
|
|
|
|
def test_guest_rejected(app_server):
|
|
name, uid, key = _member()
|
|
r = requests.post(
|
|
f"{BASE_URL}/profile/{name}/regenerate-avatar",
|
|
headers=JSON,
|
|
allow_redirects=False,
|
|
)
|
|
assert r.status_code in (401, 303)
|
|
|
|
|
|
def test_audit_event_recorded(seeded_db):
|
|
name, uid, key = _member()
|
|
requests.post(
|
|
f"{BASE_URL}/profile/{name}/regenerate-avatar",
|
|
headers={"X-API-KEY": key, **JSON},
|
|
)
|
|
admin = requests.Session()
|
|
admin.headers.update({"X-API-KEY": _admin_key(seeded_db)})
|
|
data = admin.get(
|
|
f"{BASE_URL}/admin/audit-log",
|
|
headers=JSON,
|
|
params={"event_key": "profile.avatar.regenerate"},
|
|
).json()
|
|
assert any(e.get("target_uid") == uid for e in data["entries"])
|