tested rest policies

misago/users/api/auth.py

@@ -73,8 +73,10 @@ def send_activation(request):
 
         mail_subject = _("Activate %(user)s account "
                          "on %(forum_title)s forums")
-        subject_formats = {'user': requesting_user.username,
-                           'forum_title': settings.forum_name}
+        subject_formats = {
+            'user': requesting_user.username,
+            'forum_title': settings.forum_name,
+        }
         mail_subject = mail_subject % subject_formats
 
         mail_user(request, requesting_user, mail_subject,
@@ -103,8 +105,10 @@ def send_password_form(request):
         requesting_user = form.user_cache
 
         mail_subject = _("Change %(user)s password on %(forum_title)s forums")
-        subject_formats = {'user': requesting_user.username,
-                           'forum_title': settings.forum_name}
+        subject_formats = {
+            'user': requesting_user.username,
+            'forum_title': settings.forum_name,
+        }
         mail_subject = mail_subject % subject_formats
 
         confirmation_token = make_password_change_token(requesting_user)

misago/users/rest_permissions.py

@@ -3,7 +3,10 @@ from rest_framework.permissions import BasePermission, AllowAny, SAFE_METHODS
 from django.core.exceptions import PermissionDenied
 from django.utils.translation import ugettext as _
 
+from misago.core.exceptions import Banned
+
 from misago.users.bans import get_request_ip_ban
+from misago.users.models import Ban, BAN_IP
 
 
 __all__ = [
@@ -27,9 +30,11 @@ class UnbannedOnly(BasePermission):
     def is_request_banned(self, request):
         ban = get_request_ip_ban(request)
         if ban:
-            raise PermissionDenied(
-                _("Your IP address is banned from performing this action."),
-                {'ban': ban.get_serialized_message()})
+            hydrated_ban = Ban(
+                check_type=BAN_IP,
+                user_message=ban['message'],
+                expires_on=ban['expires_on'])
+            raise Banned(hydrated_ban)
 
     def has_permission(self, request, view):
         self.is_request_banned(request)

misago/users/tests/test_forgottenpassword_views.py

@@ -1,6 +1,5 @@
 from django.contrib.auth import get_user_model
 from django.core.urlresolvers import reverse
-from django.test import TestCase
 
 from misago.users.models import Ban, BAN_USERNAME
 from misago.users.testutils import UserTestCase

misago/users/tests/test_rest_permissions.py

@@ -0,0 +1,79 @@
+from django.core.urlresolvers import reverse
+
+from misago.users.models import Ban, BAN_IP
+from misago.users.testutils import UserTestCase
+
+
+class UnbannedOnlyTests(UserTestCase):
+    def setUp(self):
+        self.user = self.get_authenticated_user()
+
+    def test_api_allows_guests(self):
+        """policy allows guests"""
+        response = self.client.post(
+            reverse('misago:api:send_password_form'), data={
+                'email': self.user.email
+            })
+        self.assertEqual(response.status_code, 200)
+
+    def test_api_allows_authenticated(self):
+        """policy allows authenticated"""
+        self.login_user(self.user)
+
+        response = self.client.post(
+            reverse('misago:api:send_password_form'), data={
+                'email': self.user.email
+            })
+        self.assertEqual(response.status_code, 200)
+
+    def test_api_blocks_banned(self):
+        """policy blocked banned ip"""
+        Ban.objects.create(
+            check_type=BAN_IP,
+            banned_value='127.*',
+            user_message='Ya got banned!')
+
+        response = self.client.post(
+            reverse('misago:api:send_password_form'), data={
+                'email': self.user.email
+            })
+        self.assertEqual(response.status_code, 403)
+
+
+class UnbannedAnonOnlyTests(UserTestCase):
+    def setUp(self):
+        self.user = self.get_authenticated_user()
+
+    def test_api_allows_guests(self):
+        """policy allows guests"""
+        self.user.requires_activation = 1
+        self.user.save()
+
+        response = self.client.post(
+            reverse('misago:api:send_activation'), data={
+                'email': self.user.email
+            })
+        self.assertEqual(response.status_code, 200)
+
+    def test_api_allows_authenticated(self):
+        """policy blocks authenticated"""
+        self.login_user(self.user)
+
+        response = self.client.post(
+            reverse('misago:api:send_activation'), data={
+                'email': self.user.email
+            })
+        self.assertEqual(response.status_code, 403)
+
+    def test_api_blocks_banned(self):
+        """policy blocked banned ip"""
+        Ban.objects.create(
+            check_type=BAN_IP,
+            banned_value='127.*',
+            user_message='Ya got banned!')
+
+        response = self.client.post(
+            reverse('misago:api:send_activation'), data={
+                'email': self.user.email
+            })
+        self.assertEqual(response.status_code, 403)