151 lines
4.7 KiB
Python
151 lines
4.7 KiB
Python
import pytest
|
|
from fastapi import status
|
|
|
|
|
|
def test_create_user(client, auth_headers):
|
|
"""Test creating a new user."""
|
|
user_data = {
|
|
"name": "newuser",
|
|
"email": "newuser@example.com",
|
|
"is_admin": False,
|
|
"password": "newpassword123"
|
|
}
|
|
|
|
response = client.post("/users/", json=user_data, headers=auth_headers)
|
|
assert response.status_code == 200
|
|
|
|
data = response.json()
|
|
assert data["name"] == "newuser"
|
|
assert data["email"] == "newuser@example.com"
|
|
assert data["is_admin"] is False
|
|
assert "id" in data
|
|
assert "passwordhash" not in data # Password hash should not be in response
|
|
|
|
|
|
def test_create_user_unauthorized(client):
|
|
"""Test creating a user without admin credentials."""
|
|
user_data = {
|
|
"name": "unauthorized_user",
|
|
"email": "unauthorized@example.com",
|
|
"password": "password123"
|
|
}
|
|
|
|
response = client.post("/users/", json=user_data)
|
|
assert response.status_code == 401
|
|
|
|
|
|
def test_get_users(client, auth_headers, admin_user, regular_user):
|
|
"""Test retrieving all users."""
|
|
response = client.get("/users/", headers=auth_headers)
|
|
assert response.status_code == 200
|
|
|
|
users = response.json()
|
|
assert len(users) >= 2 # At least admin_user and regular_user
|
|
|
|
user_names = [user["name"] for user in users]
|
|
assert admin_user.name in user_names
|
|
assert regular_user.name in user_names
|
|
|
|
|
|
def test_get_user_by_id(client, auth_headers, regular_user):
|
|
"""Test retrieving a specific user by ID."""
|
|
response = client.get(f"/users/{regular_user.id}", headers=auth_headers)
|
|
assert response.status_code == 200
|
|
|
|
data = response.json()
|
|
assert data["id"] == regular_user.id
|
|
assert data["name"] == regular_user.name
|
|
|
|
|
|
def test_get_nonexistent_user(client, auth_headers):
|
|
"""Test retrieving a non-existent user."""
|
|
response = client.get("/users/99999", headers=auth_headers)
|
|
assert response.status_code == 404
|
|
assert "not found" in response.json()["detail"].lower()
|
|
|
|
|
|
def test_update_user(client, auth_headers, regular_user):
|
|
"""Test updating a user."""
|
|
update_data = {
|
|
"name": "updated_name",
|
|
"email": "updated@example.com"
|
|
}
|
|
|
|
response = client.patch(
|
|
f"/users/{regular_user.id}",
|
|
json=update_data,
|
|
headers=auth_headers
|
|
)
|
|
assert response.status_code == 200
|
|
|
|
data = response.json()
|
|
assert data["name"] == "updated_name"
|
|
assert data["email"] == "updated@example.com"
|
|
# Unchanged fields should remain the same
|
|
assert data["is_admin"] == regular_user.is_admin
|
|
|
|
|
|
def test_update_user_password(client, auth_headers, regular_user):
|
|
"""Test updating a user's password."""
|
|
update_data = {
|
|
"password": "new_password_456"
|
|
}
|
|
|
|
response = client.patch(
|
|
f"/users/{regular_user.id}",
|
|
json=update_data,
|
|
headers=auth_headers
|
|
)
|
|
assert response.status_code == 200
|
|
|
|
# Verify password can be used for login
|
|
login_response = client.post(
|
|
"/token",
|
|
data={"username": regular_user.name, "password": "new_password_456"}
|
|
)
|
|
assert login_response.status_code == 200
|
|
|
|
|
|
def test_update_nonexistent_user(client, auth_headers):
|
|
"""Test updating a non-existent user."""
|
|
update_data = {"name": "updated"}
|
|
response = client.patch("/users/99999", json=update_data, headers=auth_headers)
|
|
assert response.status_code == 404
|
|
|
|
|
|
def test_delete_user(client, auth_headers, regular_user):
|
|
"""Test deleting a user."""
|
|
response = client.delete(f"/users/{regular_user.id}", headers=auth_headers)
|
|
assert response.status_code == 200
|
|
assert "deleted successfully" in response.json()["message"].lower()
|
|
|
|
# Verify user is deleted
|
|
response = client.get(f"/users/{regular_user.id}", headers=auth_headers)
|
|
assert response.status_code == 404
|
|
|
|
|
|
def test_delete_nonexistent_user(client, auth_headers):
|
|
"""Test deleting a non-existent user."""
|
|
response = client.delete("/users/99999", headers=auth_headers)
|
|
assert response.status_code == 404
|
|
|
|
|
|
def test_user_operations_by_non_admin(client, user_auth_headers):
|
|
"""Test that non-admin users cannot perform admin operations."""
|
|
# Try to create a user
|
|
response = client.post(
|
|
"/users/",
|
|
json={"name": "test", "password": "pass"},
|
|
headers=user_auth_headers
|
|
)
|
|
assert response.status_code == 403
|
|
|
|
# Try to get users
|
|
response = client.get("/users/", headers=user_auth_headers)
|
|
assert response.status_code == 403
|
|
|
|
# Try to delete the admin user (if ID is known)
|
|
# This would require knowing the admin user ID
|
|
# response = client.delete(f"/users/{admin_id}", headers=user_auth_headers)
|
|
# assert response.status_code == 403
|