221V
/
Misago


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716
							import pytest
from django.contrib.auth import get_user_model
from django.urls import reverse

from ....acl.models import Role
from ....legal.models import Agreement
from ....legal.utils import save_user_agreement_acceptance
from ....test import assert_contains
from ...models import Rank
from ...utils import hash_email

User = get_user_model()


def test_link_is_registered_in_admin_nav(admin_client):
    response = admin_client.get(reverse("misago:admin:index"))
    assert_contains(response, reverse("misago:admin:users:accounts:index"))


def test_list_renders_with_item(admin_client, users_admin_link, superuser):
    response = admin_client.get(users_admin_link)
    assert_contains(response, superuser.username)


def test_new_user_form_renders(admin_client):
    response = admin_client.get(reverse("misago:admin:users:accounts:new"))
    assert response.status_code == 200


def test_new_user_can_be_created(admin_client):
    default_rank = Rank.objects.get_default()
    authenticated_role = Role.objects.get(special_role="authenticated")

    admin_client.post(
        reverse("misago:admin:users:accounts:new"),
        data={
            "username": "User",
            "rank": str(default_rank.pk),
            "roles": str(authenticated_role.pk),
            "email": "user@example.com",
            "new_password": "pass123",
            "staff_level": "0",
        },
    )

    user = User.objects.get_by_email("user@example.com")
    assert user.username == "User"
    assert user.rank == default_rank
    assert authenticated_role in user.roles.all()
    assert user.check_password("pass123")
    assert not user.is_staff
    assert not user.is_superuser


def test_new_user_can_be_created_with_whitespace_around_password(admin_client):
    default_rank = Rank.objects.get_default()
    authenticated_role = Role.objects.get(special_role="authenticated")

    admin_client.post(
        reverse("misago:admin:users:accounts:new"),
        data={
            "username": "User",
            "rank": str(default_rank.pk),
            "roles": str(authenticated_role.pk),
            "email": "user@example.com",
            "new_password": "  pass123  ",
            "staff_level": "0",
        },
    )

    user = User.objects.get_by_email("user@example.com")
    assert user.check_password("  pass123  ")


def test_new_user_creation_fails_because_user_was_not_given_authenticated_role(
    admin_client
):
    default_rank = Rank.objects.get_default()
    guest_role = Role.objects.get(special_role="anonymous")

    admin_client.post(
        reverse("misago:admin:users:accounts:new"),
        data={
            "username": "User",
            "rank": str(default_rank.pk),
            "roles": str(guest_role.pk),
            "email": "user@example.com",
            "new_password": "pass123",
            "staff_level": "0",
        },
    )

    with pytest.raises(User.DoesNotExist):
        User.objects.get_by_email("user@example.com")


def test_edit_user_form_renders(admin_client, user):
    response = admin_client.get(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk})
    )
    assert response.status_code == 200


def test_edit_user_form_renders_for_staff_user(staff_client, user):
    response = staff_client.get(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk})
    )
    assert response.status_code == 200


def test_edit_staff_form_renders_for_staff_user(staff_client, other_staffuser):
    response = staff_client.get(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": other_staffuser.pk})
    )
    assert response.status_code == 200


def test_edit_superuser_form_renders_for_staff_user(staff_client, superuser):
    response = staff_client.get(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": superuser.pk})
    )
    assert response.status_code == 200


def get_default_edit_form_data(user):
    default_rank = Rank.objects.get_default()
    authenticated_role = Role.objects.get(special_role="authenticated")
    data = {
        "username": user.username,
        "rank": str(user.rank_id),
        "roles": str(user.roles.all()[0].id),
        "email": user.email,
        "new_password": "",
        "signature": user.signature,
        "is_signature_locked": str(user.is_signature_locked),
        "is_hiding_presence": str(user.is_hiding_presence),
        "limits_private_thread_invites_to": str(user.limits_private_thread_invites_to),
        "signature_lock_staff_message": str(user.signature_lock_staff_message or ""),
        "signature_lock_user_message": str(user.signature_lock_user_message or ""),
        "subscribe_to_started_threads": str(user.subscribe_to_started_threads),
        "subscribe_to_replied_threads": str(user.subscribe_to_replied_threads),
        "is_active": "1",
    }

    if user.is_staff:
        data["is_staff"] = "1"
    if user.is_superuser:
        data["is_superuser"] = "1"

    return data


def test_edit_form_changes_user_username(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["username"] = "NewUsername"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert user.username == "NewUsername"
    assert user.slug == "newusername"


def test_editing_user_username_creates_entry_in_username_history(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["username"] = "NewUsername"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    assert user.namechanges.exists()


def test_not_editing_user_username_doesnt_create_entry_in_username_history(
    admin_client, user
):
    form_data = get_default_edit_form_data(user)

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    assert not user.namechanges.exists()


def test_edit_form_changes_user_email(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["email"] = "edited@example.com"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert user.email == "edited@example.com"
    assert user.email_hash == hash_email("edited@example.com")


def test_edit_form_doesnt_remove_current_user_password_if_new_password_is_omitted(
    admin_client, user, user_password
):
    form_data = get_default_edit_form_data(user)

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert user.check_password(user_password)


def test_edit_form_displays_message_for_user_with_unusable_password(
    admin_client, user, user_password
):
    user.set_password(None)
    user.save()

    response = admin_client.get(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk})
    )

    assert_contains(response, "alert-has-unusable-password")


def test_edit_form_doesnt_set_password_for_user_with_unusable_password_if_none_is_given(
    admin_client, user, user_password
):
    user.set_password(None)
    user.save()

    form_data = get_default_edit_form_data(user)

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert not user.has_usable_password()


def test_edit_form_sets_password_for_user_with_unusable_password(
    admin_client, user, user_password
):
    user.set_password(None)
    user.save()

    form_data = get_default_edit_form_data(user)
    form_data["new_password"] = user_password

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert user.check_password(user_password)


def test_edit_form_changes_user_password(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["new_password"] = "newpassword123"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert user.check_password("newpassword123")


def test_edit_form_preserves_whitespace_in_new_user_password(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["new_password"] = "  newpassword123  "

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert user.check_password("  newpassword123  ")


def test_admin_editing_their_own_password_is_not_logged_out(admin_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data["new_password"] = "newpassword123"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": superuser.pk}),
        data=form_data,
    )

    user = admin_client.get("/api/auth/")
    assert user.json()["id"] == superuser.id


def test_staff_user_cannot_degrade_superuser_to_staff_user(staff_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data["is_staff"] = "1"
    form_data.pop("is_superuser")

    staff_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": superuser.pk}),
        data=form_data,
    )

    superuser.refresh_from_db()
    assert superuser.is_staff
    assert superuser.is_superuser


def test_staff_user_cannot_degrade_superuser_to_regular_user(staff_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data.pop("is_staff")
    form_data.pop("is_superuser")

    staff_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": superuser.pk}),
        data=form_data,
    )

    superuser.refresh_from_db()
    assert superuser.is_staff
    assert superuser.is_superuser


def test_staff_user_cannot_promote_other_staff_user_to_superuser(
    staff_client, other_staffuser
):
    form_data = get_default_edit_form_data(other_staffuser)
    form_data["is_staff"] = "1"
    form_data["is_superuser"] = "1"

    staff_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": other_staffuser.pk}),
        data=form_data,
    )

    other_staffuser.refresh_from_db()
    assert other_staffuser.is_staff
    assert not other_staffuser.is_superuser


def test_staff_user_cannot_promote_regular_user_to_staff(staff_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["is_staff"] = "1"

    staff_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert not user.is_staff


def test_staff_user_cannot_promote_regular_user_to_superuser(staff_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["is_superuser"] = "1"

    staff_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert not user.is_superuser


def test_staff_user_cannot_promote_themselves_to_superuser(staff_client, staffuser):
    form_data = get_default_edit_form_data(staffuser)
    form_data["is_superuser"] = "1"

    staff_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": staffuser.pk}),
        data=form_data,
    )

    staffuser.refresh_from_db()
    assert not staffuser.is_superuser


def test_staff_user_cannot_degrade_themselves_to_regular_user(staff_client, staffuser):
    form_data = get_default_edit_form_data(staffuser)
    form_data.pop("is_staff")

    staff_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": staffuser.pk}),
        data=form_data,
    )

    staffuser.refresh_from_db()
    assert staffuser.is_staff


def test_superuser_cannot_degrade_themselves_to_staff_user(admin_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data.pop("is_superuser")

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": superuser.pk}),
        data=form_data,
    )

    superuser.refresh_from_db()
    assert superuser.is_superuser


def test_superuser_cannot_degrade_themselves_to_regular_user(admin_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data.pop("is_staff")
    form_data.pop("is_superuser")

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": superuser.pk}),
        data=form_data,
    )

    superuser.refresh_from_db()
    assert superuser.is_staff
    assert superuser.is_superuser


def test_superuser_can_degrade_other_superuser_to_staff_user(
    admin_client, other_superuser
):
    form_data = get_default_edit_form_data(other_superuser)
    form_data.pop("is_superuser")

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": other_superuser.pk}),
        data=form_data,
    )

    other_superuser.refresh_from_db()
    assert other_superuser.is_staff
    assert not other_superuser.is_superuser


def test_superuser_can_degrade_other_superuser_to_regular_user(
    admin_client, other_superuser
):
    form_data = get_default_edit_form_data(other_superuser)
    form_data.pop("is_staff")
    form_data.pop("is_superuser")

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": other_superuser.pk}),
        data=form_data,
    )

    other_superuser.refresh_from_db()
    assert not other_superuser.is_staff
    assert not other_superuser.is_superuser


def test_superuser_can_promote_to_staff_user_to_superuser(admin_client, staffuser):
    form_data = get_default_edit_form_data(staffuser)
    form_data["is_superuser"] = "1"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": staffuser.pk}),
        data=form_data,
    )

    staffuser.refresh_from_db()
    assert staffuser.is_staff
    assert staffuser.is_superuser


def test_superuser_can_promote_to_regular_user_to_staff_user(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["is_staff"] = "1"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert user.is_staff
    assert not user.is_superuser


def test_superuser_can_promote_to_regular_user_to_superuser(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["is_staff"] = "1"
    form_data["is_superuser"] = "1"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert user.is_staff
    assert user.is_superuser


def test_superuser_can_disable_other_superuser_account(admin_client, other_superuser):
    form_data = get_default_edit_form_data(other_superuser)
    form_data["is_active"] = "0"
    form_data["is_active_staff_message"] = "Test message"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": other_superuser.pk}),
        data=form_data,
    )

    other_superuser.refresh_from_db()
    assert not other_superuser.is_active
    assert other_superuser.is_active_staff_message == "Test message"


def test_superuser_can_reactivate_other_superuser_account(
    admin_client, other_superuser
):
    other_superuser.is_active = False
    other_superuser.save()

    form_data = get_default_edit_form_data(other_superuser)
    form_data["is_active"] = "1"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": other_superuser.pk}),
        data=form_data,
    )

    other_superuser.refresh_from_db()
    assert other_superuser.is_active


def test_superuser_can_disable_staff_user_account(admin_client, staffuser):
    form_data = get_default_edit_form_data(staffuser)
    form_data["is_active"] = "0"
    form_data["is_active_staff_message"] = "Test message"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": staffuser.pk}),
        data=form_data,
    )

    staffuser.refresh_from_db()
    assert not staffuser.is_active
    assert staffuser.is_active_staff_message == "Test message"


def test_superuser_can_reactivate_staff_user_account(admin_client, staffuser):
    staffuser.is_active = False
    staffuser.save()

    form_data = get_default_edit_form_data(staffuser)
    form_data["is_active"] = "1"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": staffuser.pk}),
        data=form_data,
    )

    staffuser.refresh_from_db()
    assert staffuser.is_active


def test_superuser_can_disable_regular_user_account(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["is_active"] = "0"
    form_data["is_active_staff_message"] = "Test message"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert not user.is_active
    assert user.is_active_staff_message == "Test message"


def test_superuser_can_reactivate_regular_user_account(admin_client, user):
    user.is_active = False
    user.save()

    form_data = get_default_edit_form_data(user)
    form_data["is_active"] = "1"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert user.is_active


def test_staff_user_can_disable_regular_user_account(staff_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["is_active"] = "0"

    staff_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert not user.is_active


def test_staff_user_can_reactivate_regular_user_account(staff_client, user):
    user.is_active = False
    user.save()

    form_data = get_default_edit_form_data(user)
    form_data["is_active"] = "1"

    staff_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert user.is_active


def test_superuser_cant_disable_their_own_account(admin_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data["is_active"] = "0"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": superuser.pk}),
        data=form_data,
    )

    superuser.refresh_from_db()
    assert superuser.is_active


def test_staff_user_cant_disable_their_own_account(staff_client, staffuser):
    form_data = get_default_edit_form_data(staffuser)
    form_data["is_active"] = "0"

    staff_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": staffuser.pk}),
        data=form_data,
    )

    staffuser.refresh_from_db()
    assert staffuser.is_active


def test_staff_user_cant_disable_superuser_account(staff_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data["is_active"] = "0"

    staff_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": superuser.pk}),
        data=form_data,
    )

    superuser.refresh_from_db()
    assert superuser.is_active


def test_staff_user_cant_disable_other_staff_user_account(
    staff_client, other_staffuser
):
    form_data = get_default_edit_form_data(other_staffuser)
    form_data["is_active"] = "0"

    staff_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": other_staffuser.pk}),
        data=form_data,
    )

    other_staffuser.refresh_from_db()
    assert other_staffuser.is_active


def test_user_deleting_their_account_cant_be_reactivated(admin_client, user):
    user.mark_for_delete()

    form_data = get_default_edit_form_data(user)
    form_data["is_active"] = "1"

    admin_client.post(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk}),
        data=form_data,
    )

    user.refresh_from_db()
    assert not user.is_active


def test_user_agreements_are_displayed_on_edit_form(admin_client, user):
    agreement = Agreement.objects.create(
        type=Agreement.TYPE_TOS,
        title="Test agreement!",
        text="Lorem ipsum!",
        is_active=True,
    )

    save_user_agreement_acceptance(user, agreement, commit=True)

    response = admin_client.get(
        reverse("misago:admin:users:accounts:edit", kwargs={"pk": user.pk})
    )
    assert_contains(response, agreement.title)