fix #904: delete user with content views tests

misago/templates/misago/admin/users/delete.html

@@ -56,8 +56,8 @@
 
     DeletionController = function($e, on_complete) {
 
-      this.lang_deleting = "{% trans "deleting..." %}";
-      this.done = "{% trans "done" %}";
+      this.lang_deleting = "{% trans 'deleting...' %}";
+      this.done = "{% trans 'done' %}";
 
       this.$e = $e;
       this.on_complete = on_complete;
@@ -144,7 +144,7 @@
         var $form = $('.user').first().parents('form');
         var $btn = $form.find('.btn-default');
 
-        $btn.text("{% trans "Return to list of users" %}");
+        $btn.text("{% trans 'Return to list of users' %}");
         $btn.attr('class', 'btn btn-success');
 
       }

misago/users/tests/test_useradmin_views.py

@@ -133,6 +133,80 @@ class UserAdminViewsTests(AdminTestCase):
         self.assertEqual(response.status_code, 302)
         self.assertEqual(Ban.objects.count(), 24)
 
+    def test_mass_delete_accounts_self(self):
+        """its impossible to delete oneself"""
+        user_pks = [self.user.pk]
+
+        response = self.client.post(
+            reverse('misago:admin:users:accounts:index'),
+            data={
+                'action': 'delete_accounts',
+                'selected_items': user_pks,
+            }
+        )
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(response['location'])
+        self.assertContains(response, "delete yourself")
+
+    def test_mass_delete_accounts_admin(self):
+        """its impossible to delete admin account"""
+        user_pks = []
+        for i in range(10):
+            test_user = UserModel.objects.create_user(
+                'Bob%s' % i,
+                'bob%s@test.com' % i,
+                'pass123',
+            )
+            user_pks.append(test_user.pk)
+
+            test_user.is_staff = True
+            test_user.save()
+
+        response = self.client.post(
+            reverse('misago:admin:users:accounts:index'),
+            data={
+                'action': 'delete_accounts',
+                'selected_items': user_pks,
+            }
+        )
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(response['location'])
+        self.assertContains(response, "is admin and can")
+        self.assertContains(response, "be deleted.")
+
+        self.assertEqual(UserModel.objects.count(), 11)
+
+    def test_mass_delete_accounts_superadmin(self):
+        """its impossible to delete superadmin account"""
+        user_pks = []
+        for i in range(10):
+            test_user = UserModel.objects.create_user(
+                'Bob%s' % i,
+                'bob%s@test.com' % i,
+                'pass123',
+            )
+            user_pks.append(test_user.pk)
+
+            test_user.is_superuser = True
+            test_user.save()
+
+        response = self.client.post(
+            reverse('misago:admin:users:accounts:index'),
+            data={
+                'action': 'delete_accounts',
+                'selected_items': user_pks,
+            }
+        )
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(response['location'])
+        self.assertContains(response, "is admin and can")
+        self.assertContains(response, "be deleted.")
+
+        self.assertEqual(UserModel.objects.count(), 11)
+
     def test_mass_delete_accounts(self):
         """users list deletes users"""
         user_pks = []
@@ -155,6 +229,80 @@ class UserAdminViewsTests(AdminTestCase):
         self.assertEqual(response.status_code, 302)
         self.assertEqual(UserModel.objects.count(), 1)
 
+    def test_mass_delete_all_self(self):
+        """its impossible to delete oneself with content"""
+        user_pks = [self.user.pk]
+
+        response = self.client.post(
+            reverse('misago:admin:users:accounts:index'),
+            data={
+                'action': 'delete_all',
+                'selected_items': user_pks,
+            }
+        )
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(response['location'])
+        self.assertContains(response, "delete yourself")
+
+    def test_mass_delete_all_admin(self):
+        """its impossible to delete admin account and content"""
+        user_pks = []
+        for i in range(10):
+            test_user = UserModel.objects.create_user(
+                'Bob%s' % i,
+                'bob%s@test.com' % i,
+                'pass123',
+            )
+            user_pks.append(test_user.pk)
+
+            test_user.is_staff = True
+            test_user.save()
+
+        response = self.client.post(
+            reverse('misago:admin:users:accounts:index'),
+            data={
+                'action': 'delete_all',
+                'selected_items': user_pks,
+            }
+        )
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(response['location'])
+        self.assertContains(response, "is admin and can")
+        self.assertContains(response, "be deleted.")
+
+        self.assertEqual(UserModel.objects.count(), 11)
+
+    def test_mass_delete_all_superadmin(self):
+        """its impossible to delete superadmin account and content"""
+        user_pks = []
+        for i in range(10):
+            test_user = UserModel.objects.create_user(
+                'Bob%s' % i,
+                'bob%s@test.com' % i,
+                'pass123',
+            )
+            user_pks.append(test_user.pk)
+
+            test_user.is_superuser = True
+            test_user.save()
+
+        response = self.client.post(
+            reverse('misago:admin:users:accounts:index'),
+            data={
+                'action': 'delete_all',
+                'selected_items': user_pks,
+            }
+        )
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(response['location'])
+        self.assertContains(response, "is admin and can")
+        self.assertContains(response, "be deleted.")
+
+        self.assertEqual(UserModel.objects.count(), 11)
+
     def test_mass_delete_all(self):
         """users list deletes users and their content"""
         user_pks = []
@@ -170,12 +318,12 @@ class UserAdminViewsTests(AdminTestCase):
         response = self.client.post(
             reverse('misago:admin:users:accounts:index'),
             data={
-                'action': 'delete_accounts',
+                'action': 'delete_all',
                 'selected_items': user_pks,
             }
         )
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(UserModel.objects.count(), 1)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(UserModel.objects.count(), 11) # no user has been deleted
 
     def test_new_view(self):
         """new user view creates account"""
@@ -658,6 +806,56 @@ class UserAdminViewsTests(AdminTestCase):
         self.assertTrue(updated_user.is_active)
         self.assertFalse(updated_user.is_active_staff_message)
 
+    def test_delete_threads_view_self(self):
+        """delete user threads view validates if user deletes self"""
+        test_link = reverse(
+            'misago:admin:users:accounts:delete-threads', kwargs={
+                'pk': self.user.pk,
+            }
+        )
+
+        response = self.client.post(test_link, **self.AJAX_HEADER)
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(reverse('misago:admin:index'))
+        self.assertContains(response, "delete yourself");
+
+    def test_delete_threads_view_staff(self):
+        """delete user threads view validates if user deletes staff"""
+        test_user = UserModel.objects.create_user('Bob', 'bob@test.com', 'pass123')
+        test_user.is_staff = True
+        test_user.save()
+
+        test_link = reverse(
+            'misago:admin:users:accounts:delete-threads', kwargs={
+                'pk': test_user.pk,
+            }
+        )
+
+        response = self.client.post(test_link, **self.AJAX_HEADER)
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(reverse('misago:admin:index'))
+        self.assertContains(response, "is admin and");
+
+    def test_delete_threads_view_superuser(self):
+        """delete user threads view validates if user deletes superuser"""
+        test_user = UserModel.objects.create_user('Bob', 'bob@test.com', 'pass123')
+        test_user.is_superuser = True
+        test_user.save()
+
+        test_link = reverse(
+            'misago:admin:users:accounts:delete-threads', kwargs={
+                'pk': test_user.pk,
+            }
+        )
+
+        response = self.client.post(test_link, **self.AJAX_HEADER)
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(reverse('misago:admin:index'))
+        self.assertContains(response, "is admin and");
+
     def test_delete_threads_view(self):
         """delete user threads view deletes threads"""
         test_user = UserModel.objects.create_user('Bob', 'bob@test.com', 'pass123')
@@ -684,6 +882,56 @@ class UserAdminViewsTests(AdminTestCase):
         self.assertEqual(response_dict['deleted_count'], 0)
         self.assertTrue(response_dict['is_completed'])
 
+    def test_delete_posts_view_self(self):
+        """delete user posts view validates if user deletes self"""
+        test_link = reverse(
+            'misago:admin:users:accounts:delete-posts', kwargs={
+                'pk': self.user.pk,
+            }
+        )
+
+        response = self.client.post(test_link, **self.AJAX_HEADER)
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(reverse('misago:admin:index'))
+        self.assertContains(response, "delete yourself");
+
+    def test_delete_posts_view_staff(self):
+        """delete user posts view validates if user deletes staff"""
+        test_user = UserModel.objects.create_user('Bob', 'bob@test.com', 'pass123')
+        test_user.is_staff = True
+        test_user.save()
+
+        test_link = reverse(
+            'misago:admin:users:accounts:delete-posts', kwargs={
+                'pk': test_user.pk,
+            }
+        )
+
+        response = self.client.post(test_link, **self.AJAX_HEADER)
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(reverse('misago:admin:index'))
+        self.assertContains(response, "is admin and");
+
+    def test_delete_posts_view_superuser(self):
+        """delete user posts view validates if user deletes superuser"""
+        test_user = UserModel.objects.create_user('Bob', 'bob@test.com', 'pass123')
+        test_user.is_superuser = True
+        test_user.save()
+
+        test_link = reverse(
+            'misago:admin:users:accounts:delete-posts', kwargs={
+                'pk': test_user.pk,
+            }
+        )
+
+        response = self.client.post(test_link, **self.AJAX_HEADER)
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(reverse('misago:admin:index'))
+        self.assertContains(response, "is admin and");
+
     def test_delete_posts_view(self):
         """delete user posts view deletes posts"""
         test_user = UserModel.objects.create_user('Bob', 'bob@test.com', 'pass123')
@@ -711,6 +959,56 @@ class UserAdminViewsTests(AdminTestCase):
         self.assertEqual(response_dict['deleted_count'], 0)
         self.assertTrue(response_dict['is_completed'])
 
+    def test_delete_account_view_self(self):
+        """delete user account view validates if user deletes self"""
+        test_link = reverse(
+            'misago:admin:users:accounts:delete-account', kwargs={
+                'pk': self.user.pk,
+            }
+        )
+
+        response = self.client.post(test_link, **self.AJAX_HEADER)
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(reverse('misago:admin:index'))
+        self.assertContains(response, "delete yourself");
+
+    def test_delete_account_view_staff(self):
+        """delete user account view validates if user deletes staff"""
+        test_user = UserModel.objects.create_user('Bob', 'bob@test.com', 'pass123')
+        test_user.is_staff = True
+        test_user.save()
+
+        test_link = reverse(
+            'misago:admin:users:accounts:delete-account', kwargs={
+                'pk': test_user.pk,
+            }
+        )
+
+        response = self.client.post(test_link, **self.AJAX_HEADER)
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(reverse('misago:admin:index'))
+        self.assertContains(response, "is admin and");
+
+    def test_delete_account_view_superuser(self):
+        """delete user account view validates if user deletes superuser"""
+        test_user = UserModel.objects.create_user('Bob', 'bob@test.com', 'pass123')
+        test_user.is_superuser = True
+        test_user.save()
+
+        test_link = reverse(
+            'misago:admin:users:accounts:delete-account', kwargs={
+                'pk': test_user.pk,
+            }
+        )
+
+        response = self.client.post(test_link, **self.AJAX_HEADER)
+        self.assertEqual(response.status_code, 302)
+
+        response = self.client.get(reverse('misago:admin:index'))
+        self.assertContains(response, "is admin and");
+
     def test_delete_account_view(self):
         """delete user account view deletes user account"""
         test_user = UserModel.objects.create_user('Bob', 'bob@test.com', 'pass123')

misago/users/views/admin/users.py

@@ -197,6 +197,8 @@ class UsersList(UserAdmin, generic.ListView):
 
     def action_delete_accounts(self, request, users):
         for user in users:
+            if user == request.user:
+                raise generic.MassActionError(_("You can't delete yourself."))
             if user.is_staff or user.is_superuser:
                 message = _("%(user)s is admin and can't be deleted.") % {'user': user.username}
                 raise generic.MassActionError(message)
@@ -209,19 +211,18 @@ class UsersList(UserAdmin, generic.ListView):
 
     def action_delete_all(self, request, users):
         for user in users:
+            if user == request.user:
+                raise generic.MassActionError(_("You can't delete yourself."))
             if user.is_staff or user.is_superuser:
                 message = _("%(user)s is admin and can't be deleted.") % {'user': user.username}
                 raise generic.MassActionError(message)
 
-        for user in users:
-            user.delete(delete_content=True)
-
-        messages.success(request, _("Selected users and their content has been deleted."))
-
         return self.render(
-            request, template='misago/admin/users/delete.html', context={
+            request,
+            template='misago/admin/users/delete.html',
+            context={
                 'users': users,
-            }
+            },
         )
 
 
@@ -324,7 +325,10 @@ class DeletionStep(UserAdmin, generic.ButtonView):
 
     def check_permissions(self, request, target):
         if not request.is_ajax():
-            return _("This action can't be accessed directly")
+            return _("This action can't be accessed directly.")
+
+        if target == request.user:
+            return _("You can't delete yourself.")
 
         if target.is_staff or target.is_superuser:
             return _("%(user)s is admin and can't be deleted.") % {'user': target.username}