From c2369bdfe4f46b4b5bd3686750bad01fb62e701e Mon Sep 17 00:00:00 2001 From: Bauke Date: Fri, 31 Jan 2025 19:30:02 +0000 Subject: [PATCH] Disallow a user from banning themselves. Closes tildes-community/tildes-cf#9 See merge request tildes-community/tildes-cf!12 --- tildes/tests/conftest.py | 36 +++++++++++++++++++++++- tildes/tests/webtests/test_admin_user.py | 18 ++++++++++++ tildes/tildes/models/user/user.py | 1 + 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 tildes/tests/webtests/test_admin_user.py diff --git a/tildes/tests/conftest.py b/tildes/tests/conftest.py index fe87bda..52c6768 100644 --- a/tildes/tests/conftest.py +++ b/tildes/tests/conftest.py @@ -15,8 +15,9 @@ from testing.redis import RedisServer from webtest import TestApp from scripts.initialize_db import create_tables +from tildes.enums import UserPermission from tildes.models.group import Group -from tildes.models.user import User +from tildes.models.user import User, UserPermissions # include the fixtures defined in fixtures.py @@ -172,6 +173,25 @@ def session_user2(sdb): yield user +@fixture(scope="session", autouse=True) +def session_admin_user(sdb): + """Create a third user named 'AdminUser' in the db for test session. + + This user is granted all available user permissions. + """ + user = User("AdminUser", "admin user password") + for permission in UserPermission: + user_permission = UserPermissions() + user_permission.user = user + user_permission.permission = permission + sdb.add(user_permission) + + sdb.add(user) + sdb.commit() + + yield user + + @fixture(scope="session", autouse=True) def session_group(sdb): """Create a group named 'sessiongroup' in the db for test session.""" @@ -220,6 +240,20 @@ def webtest(base_app): yield app +@fixture(scope="session") +def webtest_admin(base_app): + """Create a webtest TestApp and log in as the AdminUser account in it.""" + app = TestApp(base_app, extra_environ=WEBTEST_EXTRA_ENVIRON) + + # fetch the login page, fill in the form, and submit it (sets the cookie) + login_page = app.get("/login") + login_page.form["username"] = "AdminUser" + login_page.form["password"] = "admin user password" + login_page.form.submit() + + yield app + + @fixture(scope="function") def webtest_loggedout(base_app): """Create a logged-out webtest TestApp (function scope, so no state is retained).""" diff --git a/tildes/tests/webtests/test_admin_user.py b/tildes/tests/webtests/test_admin_user.py new file mode 100644 index 0000000..373f7b7 --- /dev/null +++ b/tildes/tests/webtests/test_admin_user.py @@ -0,0 +1,18 @@ +# Copyright (c) 2025 Tildes contributors +# SPDX-License-Identifier: AGPL-3.0-or-later + + +def test_ban_button_hidden_from_self(webtest_admin): + """Test that the Ban button is hidden on a user's own profile.""" + profile = webtest_admin.get("/user/AdminUser") + assert profile.status_int == 200 + assert profile.text.count("Ban user") == 0 + assert profile.text.count("Unban user") == 0 + + +def test_ban_button_shown_for_other_user(webtest_admin): + """Test that the Ban button is shown on a different user's profile.""" + profile = webtest_admin.get("/user/SessionUser") + assert profile.status_int == 200 + assert profile.text.count("Ban user") > 0 + assert profile.text.count("Unban user") == 0 diff --git a/tildes/tildes/models/user/user.py b/tildes/tildes/models/user/user.py index eea2d91..b6221c7 100644 --- a/tildes/tildes/models/user/user.py +++ b/tildes/tildes/models/user/user.py @@ -213,6 +213,7 @@ class User(DatabaseModel): if self.is_deleted: acl.append((Deny, Everyone, "ban")) + acl.append((Deny, self.user_id, "ban")) acl.append((Allow, "*:user.ban", "ban")) # view_removed_posts: