# -*- coding: utf-8 -*- # Copyright (C) 2010-2018 RhodeCode GmbH # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License, version 3 # (only), as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. # # This program is dual-licensed. If you wish to learn more about the # RhodeCode Enterprise Edition, including its added features, Support services, # and proprietary license terms, please see https://rhodecode.com/licenses/ import pytest from rhodecode.model.db import UserGroup, User from rhodecode.model.meta import Session from rhodecode.tests import ( TestController, TEST_USER_REGULAR_LOGIN, assert_session_flash) from rhodecode.tests.fixture import Fixture fixture = Fixture() def route_path(name, params=None, **kwargs): import urllib from rhodecode.apps._base import ADMIN_PREFIX base_url = { 'user_groups': ADMIN_PREFIX + '/user_groups', 'user_groups_data': ADMIN_PREFIX + '/user_groups_data', 'user_group_members_data': ADMIN_PREFIX + '/user_groups/{user_group_id}/members', 'user_groups_new': ADMIN_PREFIX + '/user_groups/new', 'user_groups_create': ADMIN_PREFIX + '/user_groups/create', 'edit_user_group': ADMIN_PREFIX + '/user_groups/{user_group_id}/edit', }[name].format(**kwargs) if params: base_url = '{}?{}'.format(base_url, urllib.urlencode(params)) return base_url class TestAdminUserGroupsView(TestController): def test_show_users(self): self.log_user() self.app.get(route_path('user_groups')) def test_show_user_groups_data(self, xhr_header): self.log_user() response = self.app.get(route_path( 'user_groups_data'), extra_environ=xhr_header) all_user_groups = UserGroup.query().count() assert response.json['recordsTotal'] == all_user_groups def test_show_user_groups_data_filtered(self, xhr_header): self.log_user() response = self.app.get(route_path( 'user_groups_data', params={'search[value]': 'empty_search'}), extra_environ=xhr_header) all_user_groups = UserGroup.query().count() assert response.json['recordsTotal'] == all_user_groups assert response.json['recordsFiltered'] == 0 def test_usergroup_escape(self, user_util, xhr_header): self.log_user() xss_img = '<img src="/image1" onload="alert(\'Hello, World!\');">' user = user_util.create_user() user.name = xss_img user.lastname = xss_img Session().add(user) Session().commit() user_group = user_util.create_user_group() user_group.users_group_name = xss_img user_group.user_group_description = '<strong onload="alert();">DESC</strong>' response = self.app.get( route_path('user_groups_data'), extra_environ=xhr_header) response.mustcontain( '<strong onload="alert();">DESC</strong>') response.mustcontain( '<img src="/image1" onload="' 'alert('Hello, World!');">') def test_edit_user_group_autocomplete_empty_members(self, xhr_header, user_util): self.log_user() ug = user_util.create_user_group() response = self.app.get( route_path('user_group_members_data', user_group_id=ug.users_group_id), extra_environ=xhr_header) assert response.json == {'members': []} def test_edit_user_group_autocomplete_members(self, xhr_header, user_util): self.log_user() members = [u.user_id for u in User.get_all()] ug = user_util.create_user_group(members=members) response = self.app.get( route_path('user_group_members_data', user_group_id=ug.users_group_id), extra_environ=xhr_header) assert len(response.json['members']) == len(members) def test_creation_page(self): self.log_user() self.app.get(route_path('user_groups_new'), status=200) def test_create(self): from rhodecode.lib import helpers as h self.log_user() users_group_name = 'test_user_group' response = self.app.post(route_path('user_groups_create'), { 'users_group_name': users_group_name, 'user_group_description': 'DESC', 'active': True, 'csrf_token': self.csrf_token}) user_group_id = UserGroup.get_by_group_name( users_group_name).users_group_id user_group_link = h.link_to( users_group_name, route_path('edit_user_group', user_group_id=user_group_id)) assert_session_flash( response, 'Created user group %s' % user_group_link) fixture.destroy_user_group(users_group_name) def test_create_with_empty_name(self): self.log_user() response = self.app.post(route_path('user_groups_create'), { 'users_group_name': '', 'user_group_description': 'DESC', 'active': True, 'csrf_token': self.csrf_token}, status=200) response.mustcontain('Please enter a value') def test_create_duplicate(self, user_util): self.log_user() user_group = user_util.create_user_group() duplicate_name = user_group.users_group_name response = self.app.post(route_path('user_groups_create'), { 'users_group_name': duplicate_name, 'user_group_description': 'DESC', 'active': True, 'csrf_token': self.csrf_token}, status=200) response.mustcontain( 'User group `{}` already exists'.format(duplicate_name))