1 files changed, 28 insertions, 3 deletions

diff --git a/ihatemoney/tests/tests.py b/ihatemoney/tests/tests.py
index ac3551c..36ca6fc 100644
--- a/ihatemoney/tests/tests.py
+++ b/ihatemoney/tests/tests.py
@@ -379,8 +379,17 @@ class BudgetTestCase(IhatemoneyTestCase):
             c.get("/exit")
             self.assertNotIn('raclette', session)
 
+        # test that whith admin credentials, one can access every project
+        self.app.config['ADMIN_PASSWORD'] = generate_password_hash("pass")
+        with self.app.test_client() as c:
+            resp = c.post("/admin?goto=%2Fraclette", data={'admin_password': 'pass'})
+            self.assertNotIn("Authentication", resp.data.decode('utf-8'))
+            self.assertTrue(session['is_admin'])
+
     def test_admin_authentication(self):
         self.app.config['ADMIN_PASSWORD'] = generate_password_hash("pass")
+        # Disable public project creation so we have an admin endpoint to test
+        self.app.config['ALLOW_PUBLIC_PROJECT_CREATION'] = False
 
         # test the redirection to the authentication page when trying to access admin endpoints
         resp = self.client.get("/create")
@@ -401,7 +410,8 @@ class BudgetTestCase(IhatemoneyTestCase):
     def test_login_throttler(self):
         self.app.config['ADMIN_PASSWORD'] = generate_password_hash("pass")
 
-        # Authenticate 3 times with a wrong passsword
+        # Activate admin login throttling by authenticating 4 times with a wrong passsword
+        self.client.post("/admin?goto=%2Fcreate", data={'admin_password': 'wrong'})
         self.client.post("/admin?goto=%2Fcreate", data={'admin_password': 'wrong'})
         self.client.post("/admin?goto=%2Fcreate", data={'admin_password': 'wrong'})
         resp = self.client.post("/admin?goto=%2Fcreate", data={'admin_password': 'wrong'})
@@ -624,8 +634,23 @@ class BudgetTestCase(IhatemoneyTestCase):
         self.assertIn("Invalid email address", resp.data.decode('utf-8'))
 
     def test_dashboard(self):
-        response = self.client.get("/dashboard")
-        self.assertEqual(response.status_code, 200)
+        # test that the dashboard is deactivated by default
+        resp = self.client.post(
+            "/admin?goto=%2Fdashboard",
+            data={'admin_password': 'adminpass'},
+            follow_redirects=True
+        )
+        self.assertIn('<div class="alert alert-danger">', resp.data.decode('utf-8'))
+
+        # test access to the dashboard when it is activated
+        self.app.config['ACTIVATE_ADMIN_DASHBOARD'] = True
+        self.app.config['ADMIN_PASSWORD'] = generate_password_hash("adminpass")
+        resp = self.client.post(
+            "/admin?goto=%2Fdashboard",
+            data={'admin_password': 'adminpass'},
+            follow_redirects=True
+        )
+        self.assertIn('<thead><tr><th>Project</th><th>Number of members', resp.data.decode('utf-8'))
 
     def test_statistics_page(self):
         self.post_project("raclette")