Misago/misago/users/admin/tests/test_users.py

import pytest
from django.contrib.auth import get_user_model
from django.urls import reverse

from ....acl.models import Role
from ....legal.models import Agreement
from ....legal.utils import save_user_agreement_acceptance
from ....test import assert_contains
from ...models import Rank
from ...utils import hash_email

User = get_user_model()


def test_link_is_registered_in_admin_nav(admin_client):
    response = admin_client.get(reverse("misago:admin:index"))
    assert_contains(response, reverse("misago:admin:users:index"))


def test_list_renders_with_item(admin_client, users_admin_link, superuser):
    response = admin_client.get(users_admin_link)
    assert_contains(response, superuser.username)


def test_new_user_form_renders(admin_client):
    response = admin_client.get(reverse("misago:admin:users:new"))
    assert response.status_code == 200


def test_new_user_can_be_created(admin_client):
    default_rank = Rank.objects.get_default()
    authenticated_role = Role.objects.get(special_role="authenticated")

    admin_client.post(
        reverse("misago:admin:users:new"),
        data={
            "username": "User",
            "rank": str(default_rank.pk),
            "roles": str(authenticated_role.pk),
            "email": "user@example.com",
            "new_password": "pass123",
            "staff_level": "0",
        },
    )

    user = User.objects.get_by_email("user@example.com")
    assert user.username == "User"
    assert user.rank == default_rank
    assert authenticated_role in user.roles.all()
    assert user.check_password("pass123")
    assert not user.is_staff
    assert not user.is_superuser


def test_new_user_can_be_created_with_whitespace_around_password(admin_client):
    default_rank = Rank.objects.get_default()
    authenticated_role = Role.objects.get(special_role="authenticated")

    admin_client.post(
        reverse("misago:admin:users:new"),
        data={
            "username": "User",
            "rank": str(default_rank.pk),
            "roles": str(authenticated_role.pk),
            "email": "user@example.com",
            "new_password": "  pass123  ",
            "staff_level": "0",
        },
    )

    user = User.objects.get_by_email("user@example.com")
    assert user.check_password("  pass123  ")


def test_new_user_creation_fails_because_user_was_not_given_authenticated_role(
    admin_client
):
    default_rank = Rank.objects.get_default()
    guest_role = Role.objects.get(special_role="anonymous")

    admin_client.post(
        reverse("misago:admin:users:new"),
        data={
            "username": "User",
            "rank": str(default_rank.pk),
            "roles": str(guest_role.pk),
            "email": "user@example.com",
            "new_password": "pass123",
            "staff_level": "0",
        },
    )

    with pytest.raises(User.DoesNotExist):
        User.objects.get_by_email("user@example.com")


def test_edit_user_form_renders(admin_client, user):
    response = admin_client.get(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk})
    )
    assert response.status_code == 200


def test_edit_user_form_renders_for_staff_user(staff_client, user):
    response = staff_client.get(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk})
    )
    assert response.status_code == 200


def test_edit_staff_form_renders_for_staff_user(staff_client, other_staffuser):
    response = staff_client.get(
        reverse("misago:admin:users:edit", kwargs={"pk": other_staffuser.pk})
    )
    assert response.status_code == 200


def test_edit_superuser_form_renders_for_staff_user(staff_client, superuser):
    response = staff_client.get(
        reverse("misago:admin:users:edit", kwargs={"pk": superuser.pk})
    )
    assert response.status_code == 200


def get_default_edit_form_data(user):
    default_rank = Rank.objects.get_default()
    authenticated_role = Role.objects.get(special_role="authenticated")
    data = {
        "username": user.username,
        "rank": str(user.rank_id),
        "roles": str(user.roles.all()[0].id),
        "email": user.email,
        "new_password": "",
        "signature": user.signature,
        "is_signature_locked": str(user.is_signature_locked),
        "is_hiding_presence": str(user.is_hiding_presence),
        "limits_private_thread_invites_to": str(user.limits_private_thread_invites_to),
        "signature_lock_staff_message": str(user.signature_lock_staff_message or ""),
        "signature_lock_user_message": str(user.signature_lock_user_message or ""),
        "subscribe_to_started_threads": str(user.subscribe_to_started_threads),
        "subscribe_to_replied_threads": str(user.subscribe_to_replied_threads),
        "is_active": "1",
    }

    if user.is_staff:
        data["is_staff"] = "1"
    if user.is_superuser:
        data["is_superuser"] = "1"

    return data


def test_edit_form_changes_user_username(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["username"] = "NewUsername"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert user.username == "NewUsername"
    assert user.slug == "newusername"


def test_editing_user_username_creates_entry_in_username_history(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["username"] = "NewUsername"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    assert user.namechanges.exists()


def test_not_editing_user_username_doesnt_create_entry_in_username_history(
    admin_client, user
):
    form_data = get_default_edit_form_data(user)

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    assert not user.namechanges.exists()


def test_edit_form_changes_user_email(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["email"] = "edited@example.com"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert user.email == "edited@example.com"
    assert user.email_hash == hash_email("edited@example.com")


def test_edit_form_doesnt_remove_current_user_password_if_new_password_is_omitted(
    admin_client, user, user_password
):
    form_data = get_default_edit_form_data(user)

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert user.check_password(user_password)


def test_edit_form_displays_message_for_user_with_unusable_password(
    admin_client, user, user_password
):
    user.set_password(None)
    user.save()

    response = admin_client.get(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk})
    )

    assert_contains(response, "alert-has-unusable-password")


def test_edit_form_doesnt_set_password_for_user_with_unusable_password_if_none_is_given(
    admin_client, user, user_password
):
    user.set_password(None)
    user.save()

    form_data = get_default_edit_form_data(user)

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert not user.has_usable_password()


def test_edit_form_sets_password_for_user_with_unusable_password(
    admin_client, user, user_password
):
    user.set_password(None)
    user.save()

    form_data = get_default_edit_form_data(user)
    form_data["new_password"] = user_password

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert user.check_password(user_password)


def test_edit_form_changes_user_password(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["new_password"] = "newpassword123"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert user.check_password("newpassword123")


def test_edit_form_preserves_whitespace_in_new_user_password(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["new_password"] = "  newpassword123  "

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert user.check_password("  newpassword123  ")


def test_admin_editing_their_own_password_is_not_logged_out(admin_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data["new_password"] = "newpassword123"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": superuser.pk}), data=form_data
    )

    user = admin_client.get("/api/auth/")
    assert user.json()["id"] == superuser.id


def test_staff_user_cannot_degrade_superuser_to_staff_user(staff_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data["is_staff"] = "1"
    form_data.pop("is_superuser")

    staff_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": superuser.pk}), data=form_data
    )

    superuser.refresh_from_db()
    assert superuser.is_staff
    assert superuser.is_superuser


def test_staff_user_cannot_degrade_superuser_to_regular_user(staff_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data.pop("is_staff")
    form_data.pop("is_superuser")

    staff_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": superuser.pk}), data=form_data
    )

    superuser.refresh_from_db()
    assert superuser.is_staff
    assert superuser.is_superuser


def test_staff_user_cannot_promote_other_staff_user_to_superuser(
    staff_client, other_staffuser
):
    form_data = get_default_edit_form_data(other_staffuser)
    form_data["is_staff"] = "1"
    form_data["is_superuser"] = "1"

    staff_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": other_staffuser.pk}),
        data=form_data,
    )

    other_staffuser.refresh_from_db()
    assert other_staffuser.is_staff
    assert not other_staffuser.is_superuser


def test_staff_user_cannot_promote_regular_user_to_staff(staff_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["is_staff"] = "1"

    staff_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert not user.is_staff


def test_staff_user_cannot_promote_regular_user_to_superuser(staff_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["is_superuser"] = "1"

    staff_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert not user.is_superuser


def test_staff_user_cannot_promote_themselves_to_superuser(staff_client, staffuser):
    form_data = get_default_edit_form_data(staffuser)
    form_data["is_superuser"] = "1"

    staff_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": staffuser.pk}), data=form_data
    )

    staffuser.refresh_from_db()
    assert not staffuser.is_superuser


def test_staff_user_cannot_degrade_themselves_to_regular_user(staff_client, staffuser):
    form_data = get_default_edit_form_data(staffuser)
    form_data.pop("is_staff")

    staff_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": staffuser.pk}), data=form_data
    )

    staffuser.refresh_from_db()
    assert staffuser.is_staff


def test_superuser_cannot_degrade_themselves_to_staff_user(admin_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data.pop("is_superuser")

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": superuser.pk}), data=form_data
    )

    superuser.refresh_from_db()
    assert superuser.is_superuser


def test_superuser_cannot_degrade_themselves_to_regular_user(admin_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data.pop("is_staff")
    form_data.pop("is_superuser")

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": superuser.pk}), data=form_data
    )

    superuser.refresh_from_db()
    assert superuser.is_staff
    assert superuser.is_superuser


def test_superuser_can_degrade_other_superuser_to_staff_user(
    admin_client, other_superuser
):
    form_data = get_default_edit_form_data(other_superuser)
    form_data.pop("is_superuser")

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": other_superuser.pk}),
        data=form_data,
    )

    other_superuser.refresh_from_db()
    assert other_superuser.is_staff
    assert not other_superuser.is_superuser


def test_superuser_can_degrade_other_superuser_to_regular_user(
    admin_client, other_superuser
):
    form_data = get_default_edit_form_data(other_superuser)
    form_data.pop("is_staff")
    form_data.pop("is_superuser")

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": other_superuser.pk}),
        data=form_data,
    )

    other_superuser.refresh_from_db()
    assert not other_superuser.is_staff
    assert not other_superuser.is_superuser


def test_superuser_can_promote_to_staff_user_to_superuser(admin_client, staffuser):
    form_data = get_default_edit_form_data(staffuser)
    form_data["is_superuser"] = "1"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": staffuser.pk}), data=form_data
    )

    staffuser.refresh_from_db()
    assert staffuser.is_staff
    assert staffuser.is_superuser


def test_superuser_can_promote_to_regular_user_to_staff_user(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["is_staff"] = "1"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert user.is_staff
    assert not user.is_superuser


def test_superuser_can_promote_to_regular_user_to_superuser(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["is_staff"] = "1"
    form_data["is_superuser"] = "1"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert user.is_staff
    assert user.is_superuser


def test_superuser_can_disable_other_superuser_account(admin_client, other_superuser):
    form_data = get_default_edit_form_data(other_superuser)
    form_data["is_active"] = "0"
    form_data["is_active_staff_message"] = "Test message"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": other_superuser.pk}),
        data=form_data,
    )

    other_superuser.refresh_from_db()
    assert not other_superuser.is_active
    assert other_superuser.is_active_staff_message == "Test message"


def test_superuser_can_reactivate_other_superuser_account(
    admin_client, other_superuser
):
    other_superuser.is_active = False
    other_superuser.save()

    form_data = get_default_edit_form_data(other_superuser)
    form_data["is_active"] = "1"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": other_superuser.pk}),
        data=form_data,
    )

    other_superuser.refresh_from_db()
    assert other_superuser.is_active


def test_superuser_can_disable_staff_user_account(admin_client, staffuser):
    form_data = get_default_edit_form_data(staffuser)
    form_data["is_active"] = "0"
    form_data["is_active_staff_message"] = "Test message"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": staffuser.pk}), data=form_data
    )

    staffuser.refresh_from_db()
    assert not staffuser.is_active
    assert staffuser.is_active_staff_message == "Test message"


def test_superuser_can_reactivate_staff_user_account(admin_client, staffuser):
    staffuser.is_active = False
    staffuser.save()

    form_data = get_default_edit_form_data(staffuser)
    form_data["is_active"] = "1"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": staffuser.pk}), data=form_data
    )

    staffuser.refresh_from_db()
    assert staffuser.is_active


def test_superuser_can_disable_regular_user_account(admin_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["is_active"] = "0"
    form_data["is_active_staff_message"] = "Test message"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert not user.is_active
    assert user.is_active_staff_message == "Test message"


def test_superuser_can_reactivate_regular_user_account(admin_client, user):
    user.is_active = False
    user.save()

    form_data = get_default_edit_form_data(user)
    form_data["is_active"] = "1"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert user.is_active


def test_staff_user_can_disable_regular_user_account(staff_client, user):
    form_data = get_default_edit_form_data(user)
    form_data["is_active"] = "0"

    staff_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert not user.is_active


def test_staff_user_can_reactivate_regular_user_account(staff_client, user):
    user.is_active = False
    user.save()

    form_data = get_default_edit_form_data(user)
    form_data["is_active"] = "1"

    staff_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert user.is_active


def test_superuser_cant_disable_their_own_account(admin_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data["is_active"] = "0"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": superuser.pk}), data=form_data
    )

    superuser.refresh_from_db()
    assert superuser.is_active


def test_staff_user_cant_disable_their_own_account(staff_client, staffuser):
    form_data = get_default_edit_form_data(staffuser)
    form_data["is_active"] = "0"

    staff_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": staffuser.pk}), data=form_data
    )

    staffuser.refresh_from_db()
    assert staffuser.is_active


def test_staff_user_cant_disable_superuser_account(staff_client, superuser):
    form_data = get_default_edit_form_data(superuser)
    form_data["is_active"] = "0"

    staff_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": superuser.pk}), data=form_data
    )

    superuser.refresh_from_db()
    assert superuser.is_active


def test_staff_user_cant_disable_other_staff_user_account(
    staff_client, other_staffuser
):
    form_data = get_default_edit_form_data(other_staffuser)
    form_data["is_active"] = "0"

    staff_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": other_staffuser.pk}),
        data=form_data,
    )

    other_staffuser.refresh_from_db()
    assert other_staffuser.is_active


def test_user_deleting_their_account_cant_be_reactivated(admin_client, user):
    user.mark_for_delete()

    form_data = get_default_edit_form_data(user)
    form_data["is_active"] = "1"

    admin_client.post(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk}), data=form_data
    )

    user.refresh_from_db()
    assert not user.is_active


def test_user_agreements_are_displayed_on_edit_form(admin_client, user):
    agreement = Agreement.objects.create(
        type=Agreement.TYPE_TOS,
        title="Test agreement!",
        text="Lorem ipsum!",
        is_active=True,
    )

    save_user_agreement_acceptance(user, agreement, commit=True)

    response = admin_client.get(
        reverse("misago:admin:users:edit", kwargs={"pk": user.pk})
    )
    assert_contains(response, agreement.title)