diff options
| author | 0livd <0livd@users.noreply.github.com> | 2017-05-18 10:48:09 +0100 |
|---|---|---|
| committer | Alexis Metaireau <alexis@notmyidea.org> | 2017-05-18 11:48:09 +0200 |
| commit | ea8eda35a7bd831964c38b38cc9a5b19bcb44d6a (patch) | |
| tree | 5a5efbe2523a1f8f84aec65c298a9b4fd6a9421e /budget/tests | |
| parent | 091553be566d97816ed898207b56d2694eb2efdd (diff) | |
| download | ihatemoney-mirror-ea8eda35a7bd831964c38b38cc9a5b19bcb44d6a.zip ihatemoney-mirror-ea8eda35a7bd831964c38b38cc9a5b19bcb44d6a.tar.gz ihatemoney-mirror-ea8eda35a7bd831964c38b38cc9a5b19bcb44d6a.tar.bz2 | |
Public project creation and admin permissions (#210)
* Add a @requires_admin decorator
It can be used to protect specific endpoints with ADMIN_PASSWORD
(a password that is stored unencrypted in the settings)
The decorator has no effect if ADMIN_PASSWORD is an empty string (default value)
* Require admin permissions to access create project endpoint
When ADMIN_PASSWORD is not empty, project creation form on the
home page will be replaced by a link to the create project endpoint
so one is able to enter the admin password before filling the form
Diffstat (limited to 'budget/tests')
| -rw-r--r-- | budget/tests/tests.py | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/budget/tests/tests.py b/budget/tests/tests.py index e18e9c3..a1cedfa 100644 --- a/budget/tests/tests.py +++ b/budget/tests/tests.py @@ -44,6 +44,8 @@ class TestCase(unittest.TestCase): # clean after testing models.db.session.remove() models.db.drop_all() + # reconfigure app with default settings + run.configure() def login(self, project, password=None, test_client=None): password = password or project @@ -373,6 +375,25 @@ class BudgetTestCase(TestCase): c.get("/exit") self.assertNotIn('raclette', session) + def test_admin_authentication(self): + run.app.config['ADMIN_PASSWORD'] = "pass" + + # test the redirection to the authentication page when trying to access admin endpoints + resp = self.app.get("/create") + self.assertIn('<a href="/admin?goto=%2Fcreate">', resp.data.decode('utf-8')) + + # test right password + resp = self.app.post("/admin?goto=%2Fcreate", data={'admin_password': 'pass'}) + self.assertIn('<a href="/create">/create</a>', resp.data.decode('utf-8')) + + # test wrong password + resp = self.app.post("/admin?goto=%2Fcreate", data={'admin_password': 'wrong'}) + self.assertNotIn('<a href="/create">/create</a>', resp.data.decode('utf-8')) + + # test empty password + resp = self.app.post("/admin?goto=%2Fcreate", data={'admin_password': ''}) + self.assertNotIn('<a href="/create">/create</a>', resp.data.decode('utf-8')) + def test_manage_bills(self): self.post_project("raclette") |