feat(admin): Add group admin and test for admin views
This commit is contained in:
@@ -6,11 +6,13 @@ from starlette import status
|
||||
from starlette.responses import RedirectResponse
|
||||
|
||||
from allmende_payment_system.api.dependencies import SessionDep, UserDep
|
||||
from allmende_payment_system.models import User, UserGroup
|
||||
from allmende_payment_system.models import Permission, User, UserGroup
|
||||
from allmende_payment_system.tools import get_jinja_renderer
|
||||
|
||||
admin_router = APIRouter(prefix="/admin")
|
||||
|
||||
# USERS
|
||||
|
||||
|
||||
@admin_router.get("/users")
|
||||
async def user_list(request: Request, session: SessionDep, user: UserDep):
|
||||
@@ -62,3 +64,95 @@ async def user_remove_group(
|
||||
print(user)
|
||||
user.user_groups.remove(group)
|
||||
return RedirectResponse(url="/admin/users", status_code=status.HTTP_303_SEE_OTHER)
|
||||
|
||||
|
||||
# GROUPS
|
||||
|
||||
|
||||
@admin_router.get("/groups")
|
||||
async def group_list(request: Request, session: SessionDep, user: UserDep):
|
||||
if not user.has_permission("user", "edit"):
|
||||
raise HTTPException(status_code=403, detail="Insufficient permissions")
|
||||
|
||||
groups = session.scalars(select(UserGroup)).all()
|
||||
templates = get_jinja_renderer()
|
||||
return templates.TemplateResponse(
|
||||
"groups.html.jinja",
|
||||
context={"request": request, "groups": groups},
|
||||
)
|
||||
|
||||
|
||||
@admin_router.post("/groups/{group_id}/add_permission")
|
||||
async def group_add_permission(
|
||||
request: Request, session: SessionDep, user: UserDep, group_id: int
|
||||
):
|
||||
if not user.has_permission("user", "edit"):
|
||||
raise HTTPException(status_code=403, detail="Insufficient permissions")
|
||||
|
||||
data = await request.form()
|
||||
scope_action = data["permission"].split(":")
|
||||
if len(scope_action) != 2:
|
||||
raise HTTPException(
|
||||
status_code=400, detail="Permission must be in the format 'scope:action'"
|
||||
)
|
||||
|
||||
permission = Permission(scope=scope_action[0], action=scope_action[1])
|
||||
group = session.execute(
|
||||
select(UserGroup).where(UserGroup.id == group_id)
|
||||
).scalar_one()
|
||||
|
||||
session.add(permission)
|
||||
group.permissions.append(permission)
|
||||
|
||||
return RedirectResponse(url="/admin/groups", status_code=status.HTTP_303_SEE_OTHER)
|
||||
|
||||
|
||||
@admin_router.get("/groups/{group_id}/remove_permission/{permission_id}")
|
||||
async def group_remove_permission(
|
||||
request: Request,
|
||||
session: SessionDep,
|
||||
user: UserDep,
|
||||
group_id: int,
|
||||
permission_id: int,
|
||||
):
|
||||
if not user.has_permission("user", "edit"):
|
||||
raise HTTPException(status_code=403, detail="Insufficient permissions")
|
||||
|
||||
permission = session.execute(
|
||||
select(Permission).where(Permission.id == permission_id)
|
||||
).scalar_one()
|
||||
group = session.execute(
|
||||
select(UserGroup).where(UserGroup.id == group_id)
|
||||
).scalar_one()
|
||||
group.permissions.remove(permission)
|
||||
session.delete(permission)
|
||||
return RedirectResponse(url="/admin/groups", status_code=status.HTTP_303_SEE_OTHER)
|
||||
|
||||
|
||||
@admin_router.post("/groups/create")
|
||||
async def create_group(request: Request, session: SessionDep, user: UserDep):
|
||||
if not user.has_permission("user", "edit"):
|
||||
raise HTTPException(status_code=403, detail="Insufficient permissions")
|
||||
|
||||
data = await request.form()
|
||||
group = UserGroup(name=data["name"], description=data["description"])
|
||||
session.add(group)
|
||||
|
||||
return RedirectResponse(url="/admin/groups", status_code=status.HTTP_303_SEE_OTHER)
|
||||
|
||||
|
||||
@admin_router.get("/groups/{group_id}/delete")
|
||||
async def delete_group(
|
||||
request: Request,
|
||||
session: SessionDep,
|
||||
user: UserDep,
|
||||
group_id: int,
|
||||
):
|
||||
if not user.has_permission("user", "edit"):
|
||||
raise HTTPException(status_code=403, detail="Insufficient permissions")
|
||||
|
||||
group = session.execute(
|
||||
select(UserGroup).where(UserGroup.id == group_id)
|
||||
).scalar_one()
|
||||
session.delete(group)
|
||||
return RedirectResponse(url="/admin/groups", status_code=status.HTTP_303_SEE_OTHER)
|
||||
|
||||
@@ -35,6 +35,11 @@
|
||||
Nutzerverwaltung
|
||||
</a>
|
||||
</li>
|
||||
<li class="nav-item">
|
||||
<a href="/admin/groups" class="nav-link{% if request.url.path.startswith("/admin/groups")%} active{% endif %}">
|
||||
Gruppenverwaltung
|
||||
</a>
|
||||
</li>
|
||||
{% endif %}
|
||||
</ul>
|
||||
|
||||
|
||||
94
src/allmende_payment_system/templates/groups.html.jinja
Normal file
94
src/allmende_payment_system/templates/groups.html.jinja
Normal file
@@ -0,0 +1,94 @@
|
||||
{% extends "base.html.jinja" %}
|
||||
{% block content %}
|
||||
<div class="mb-4">
|
||||
<h2 class="h4 mb-3">Gruppen verwalten</h2>
|
||||
<button type="button" class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#createGroupModal">Neue Gruppe erstellen</button>
|
||||
</div>
|
||||
|
||||
<!-- Modal for creating new group -->
|
||||
<div class="modal fade" id="createGroupModal" tabindex="-1" aria-labelledby="createGroupModalLabel" aria-hidden="true">
|
||||
<div class="modal-dialog">
|
||||
<div class="modal-content">
|
||||
<div class="modal-header">
|
||||
<h5 class="modal-title" id="createGroupModalLabel">Neue Gruppe erstellen</h5>
|
||||
<button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
|
||||
</div>
|
||||
<form method="post" action="/admin/groups/create">
|
||||
<div class="modal-body">
|
||||
<div class="mb-3">
|
||||
<label for="groupName" class="form-label">Gruppenname</label>
|
||||
<input type="text" class="form-control" id="groupName" name="name" required>
|
||||
</div>
|
||||
<div class="mb-3">
|
||||
<label for="groupDescription" class="form-label">Beschreibung</label>
|
||||
<input type="text" class="form-control" id="groupDescription" name="description">
|
||||
</div>
|
||||
</div>
|
||||
<div class="modal-footer">
|
||||
<button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Abbrechen</button>
|
||||
<button type="submit" class="btn btn-primary">Erstellen</button>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
{% if groups|length == 0 %}
|
||||
<div class="alert alert-info">Keine Gruppen vorhanden.</div>
|
||||
{% else %}
|
||||
<div class="table-responsive">
|
||||
<table class="table align-middle">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>ID</th>
|
||||
<th>Name</th>
|
||||
<th>Beschreibung</th>
|
||||
<th></th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
{% for group in groups %}
|
||||
<tr>
|
||||
<td>{{ group.id }}</td>
|
||||
<td>{{ group.name }}</td>
|
||||
<td>{{ group.description }}</td>
|
||||
<td>
|
||||
{% for permission in group.permissions %}
|
||||
<span class="badge bg-secondary me-1">{{ permission.scope }}:{{ permission.action }} <a class="btn btn-close btn-close-white ms-1" aria-label="Remove" href="/admin/groups/{{ group.id }}/remove_permission/{{ permission.id }}"></a></span>
|
||||
{% endfor %}
|
||||
</td>
|
||||
<td class="text-end">
|
||||
<button type="button" class="btn btn-sm btn-outline-primary me-1" data-bs-toggle="modal" data-bs-target="#addPermissionModal{{ group.id }}">Berechtigung hinzufügen</button>
|
||||
<a class="btn btn-danger tn-sm me-1" href="/admin/groups/{{ group.id }}/delete">Gruppe löschen</a>
|
||||
</td>
|
||||
</tr>
|
||||
<!-- Modal for adding permission -->
|
||||
<div class="modal fade" id="addPermissionModal{{ group.id }}" tabindex="-1" aria-labelledby="addPermissionModalLabel{{ group.id }}" aria-hidden="true">
|
||||
<div class="modal-dialog">
|
||||
<div class="modal-content">
|
||||
<div class="modal-header">
|
||||
<h5 class="modal-title" id="addPermissionModalLabel{{ group.id }}">Berechtigung zu Gruppe hinzufügen</h5>
|
||||
<button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
|
||||
</div>
|
||||
<form method="post" action="/admin/groups/{{ group.id }}/add_permission">
|
||||
<div class="modal-body">
|
||||
<div class="mb-3">
|
||||
<label for="permissionInput{{ group.id }}" class="form-label">Berechtigung eingeben</label>
|
||||
<input type="text" class="form-control" id="permissionInput{{ group.id }}" name="permission" placeholder="scope:action" required>
|
||||
</div>
|
||||
</div>
|
||||
<div class="modal-footer">
|
||||
<button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Abbrechen</button>
|
||||
<button type="submit" class="btn btn-primary">Hinzufügen</button>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
{% endfor %}
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
{% endif %}
|
||||
|
||||
{% endblock %}
|
||||
@@ -41,10 +41,23 @@ def get_test_session():
|
||||
app.dependency_overrides[get_session] = get_test_session
|
||||
|
||||
|
||||
class APSTestClient(TestClient):
|
||||
def __init__(self, *args, **kwargs):
|
||||
super().__init__(*args, **kwargs)
|
||||
|
||||
def post(self, *args, user: str = "test", **kwargs):
|
||||
with mock.patch.dict(os.environ, {"APS_username": user}, clear=False):
|
||||
return super().post(*args, **kwargs)
|
||||
|
||||
def get(self, *args, user: str = "test", **kwargs):
|
||||
with mock.patch.dict(os.environ, {"APS_username": user}, clear=False):
|
||||
return super().get(*args, **kwargs)
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
def client():
|
||||
os.environ["APS_username"] = "test"
|
||||
return TestClient(app)
|
||||
return APSTestClient(app)
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
|
||||
130
test/test_admin.py
Normal file
130
test/test_admin.py
Normal file
@@ -0,0 +1,130 @@
|
||||
import pytest
|
||||
from fastapi.testclient import TestClient
|
||||
from sqlalchemy import select
|
||||
from sqlalchemy.orm import Session
|
||||
|
||||
from allmende_payment_system.app import app
|
||||
from allmende_payment_system.database import ensure_user
|
||||
from allmende_payment_system.models import Permission, User, UserGroup
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def admin_user(test_db):
|
||||
user_info = {"username": "admin", "display_name": "The Administrator"}
|
||||
user = ensure_user(user_info, test_db)
|
||||
|
||||
group = UserGroup(id=1, name="Admins")
|
||||
group.permissions.append(Permission(scope="user", action="edit"))
|
||||
user.user_groups.append(group)
|
||||
test_db.add(group)
|
||||
test_db.flush()
|
||||
return "admin"
|
||||
|
||||
|
||||
def test_user_add_group(test_db, client, admin_user):
|
||||
user_info = {"username": "test", "display_name": "Display Test"}
|
||||
user = ensure_user(user_info, test_db)
|
||||
|
||||
group = UserGroup(name="Bosses")
|
||||
test_db.add(group)
|
||||
test_db.flush()
|
||||
|
||||
assert 0 == len(user.user_groups)
|
||||
|
||||
response = client.post(
|
||||
f"/admin/users/{user.id}/add_group",
|
||||
data={"group_id": group.id},
|
||||
user=admin_user,
|
||||
follow_redirects=False,
|
||||
)
|
||||
assert response.status_code == 303
|
||||
|
||||
user = test_db.execute(select(User).where(User.username == "test")).scalar()
|
||||
assert 1 == len(user.user_groups)
|
||||
assert "Bosses" == user.user_groups[0].name
|
||||
|
||||
|
||||
def test_user_remove_group(test_db, client, admin_user):
|
||||
user_info = {"username": "test", "display_name": "Display Test"}
|
||||
user = ensure_user(user_info, test_db)
|
||||
|
||||
group = UserGroup(name="Bosses")
|
||||
test_db.add(group)
|
||||
user.user_groups.append(group)
|
||||
test_db.flush()
|
||||
|
||||
assert 1 == len(user.user_groups)
|
||||
|
||||
response = client.get(
|
||||
f"/admin/users/{user.id}/remove_group/{group.id}",
|
||||
user=admin_user,
|
||||
follow_redirects=False,
|
||||
)
|
||||
assert response.status_code == 303
|
||||
|
||||
user = test_db.execute(select(User).where(User.username == "test")).scalar()
|
||||
assert 0 == len(user.user_groups)
|
||||
|
||||
|
||||
def test_group_add_permission(test_db, client, admin_user):
|
||||
group = test_db.query(UserGroup).scalar()
|
||||
|
||||
response = client.post(
|
||||
f"/admin/groups/{group.id}/add_permission",
|
||||
data={"permission": "foo:bar"},
|
||||
user=admin_user,
|
||||
follow_redirects=False,
|
||||
)
|
||||
assert response.status_code == 303
|
||||
|
||||
group = test_db.execute(select(UserGroup).where(UserGroup.id == group.id)).scalar()
|
||||
assert any(
|
||||
perm.scope == "foo" and perm.action == "bar" for perm in group.permissions
|
||||
)
|
||||
|
||||
|
||||
def test_group_add_permission_illegal_format(test_db, client, admin_user):
|
||||
group = test_db.query(UserGroup).scalar()
|
||||
|
||||
response = client.post(
|
||||
f"/admin/groups/{group.id}/add_permission",
|
||||
data={"permission": "foobar"},
|
||||
user=admin_user,
|
||||
follow_redirects=False,
|
||||
)
|
||||
assert response.status_code == 400
|
||||
|
||||
|
||||
def test_group_remove_permission(test_db, client, admin_user):
|
||||
group = test_db.query(UserGroup).scalar()
|
||||
response = client.get(
|
||||
f"/admin/groups/{group.id}/remove_permission/1",
|
||||
user=admin_user,
|
||||
follow_redirects=False,
|
||||
)
|
||||
assert response.status_code == 303
|
||||
group = test_db.execute(select(UserGroup).where(UserGroup.id == group.id)).scalar()
|
||||
assert 0 == len(group.permissions)
|
||||
|
||||
|
||||
def test_create_group(test_db, client, admin_user):
|
||||
response = client.post(
|
||||
"/admin/groups/create",
|
||||
data={"name": "New Group", "description": "A newly created group"},
|
||||
user=admin_user,
|
||||
follow_redirects=False,
|
||||
)
|
||||
assert response.status_code == 303
|
||||
assert test_db.query(UserGroup).filter_by(name="New Group").scalar() is not None
|
||||
|
||||
|
||||
def test_delete_group(test_db, client, admin_user):
|
||||
group = UserGroup(name="To Be Deleted")
|
||||
test_db.add(group)
|
||||
test_db.flush()
|
||||
response = client.get(f"/admin/groups/{group.id}/delete", user=admin_user)
|
||||
assert response.status_code == 200
|
||||
assert (
|
||||
test_db.execute(select(UserGroup).where(UserGroup.id == group.id)).scalar()
|
||||
is None
|
||||
)
|
||||
@@ -2,9 +2,9 @@ from decimal import Decimal
|
||||
from unittest import mock
|
||||
|
||||
import pytest
|
||||
from conftest import APSTestClient
|
||||
from fake_data import fake
|
||||
from sqlalchemy import select
|
||||
from starlette.testclient import TestClient
|
||||
|
||||
from allmende_payment_system.database import ensure_user
|
||||
from allmende_payment_system.models import (
|
||||
@@ -56,7 +56,7 @@ def product(test_db):
|
||||
return product
|
||||
|
||||
|
||||
def test_add_item_to_cart(client: TestClient, test_db, product):
|
||||
def test_add_item_to_cart(client: APSTestClient, test_db, product):
|
||||
|
||||
form_data = {"product_id": product.id, "quantity": 2, "area_id": product.area.id}
|
||||
|
||||
@@ -72,7 +72,7 @@ def test_add_item_to_cart(client: TestClient, test_db, product):
|
||||
assert len(cart.items) == 1
|
||||
|
||||
|
||||
def test_edit_item_in_cart(client: TestClient, test_db, product):
|
||||
def test_edit_item_in_cart(client: APSTestClient, test_db, product):
|
||||
form_data = {"product_id": product.id, "quantity": 2, "area_id": product.area.id}
|
||||
|
||||
response = client.post(
|
||||
@@ -99,7 +99,7 @@ def test_edit_item_in_cart(client: TestClient, test_db, product):
|
||||
assert cart.items[0].total_amount == product.price * 3
|
||||
|
||||
|
||||
def test_remove_item_from_cart(client: TestClient, test_db, product):
|
||||
def test_remove_item_from_cart(client: APSTestClient, test_db, product):
|
||||
|
||||
user = create_user_with_account(test_db, "test")
|
||||
|
||||
@@ -122,7 +122,7 @@ def test_remove_item_from_cart(client: TestClient, test_db, product):
|
||||
assert len(test_db.scalars(select(OrderItem)).all()) == 0
|
||||
|
||||
|
||||
def test_remove_item_from_cart_wrong_user(client: TestClient, test_db, product):
|
||||
def test_remove_item_from_cart_wrong_user(client: APSTestClient, test_db, product):
|
||||
user = create_user_with_account(test_db, "test")
|
||||
|
||||
user.shopping_cart.items.append(
|
||||
@@ -135,15 +135,16 @@ def test_remove_item_from_cart_wrong_user(client: TestClient, test_db, product):
|
||||
|
||||
id_ = user.shopping_cart.items[0].id
|
||||
|
||||
with mock.patch.dict("os.environ", {"APS_username": "other_user"}):
|
||||
response = client.get(f"/shop/cart/remove/{id_}", follow_redirects=False)
|
||||
response = client.get(
|
||||
f"/shop/cart/remove/{id_}", follow_redirects=False, user="other_user"
|
||||
)
|
||||
assert response.status_code == 404
|
||||
|
||||
cart = test_db.scalar(select(Order))
|
||||
assert len(cart.items) == 1
|
||||
|
||||
|
||||
def test_finalize_order(client: TestClient, test_db, product):
|
||||
def test_finalize_order(client: APSTestClient, test_db, product):
|
||||
|
||||
user = create_user_with_account(test_db, "test", balance=100.0)
|
||||
|
||||
@@ -161,7 +162,7 @@ def test_finalize_order(client: TestClient, test_db, product):
|
||||
assert user.accounts[0].balance == Decimal(100.0) - (product.price * 2)
|
||||
|
||||
|
||||
def test_view_order(client: TestClient, test_db, product):
|
||||
def test_view_order(client: APSTestClient, test_db, product):
|
||||
user = create_user_with_account(test_db, "test")
|
||||
|
||||
order = add_finalized_order_to_user(test_db, user, product)
|
||||
@@ -172,11 +173,12 @@ def test_view_order(client: TestClient, test_db, product):
|
||||
assert product.name in response.text
|
||||
|
||||
|
||||
def test_view_order_wrong_user(client: TestClient, test_db, product):
|
||||
def test_view_order_wrong_user(client: APSTestClient, test_db, product):
|
||||
user = create_user_with_account(test_db, "test")
|
||||
|
||||
order = add_finalized_order_to_user(test_db, user, product)
|
||||
|
||||
with mock.patch.dict("os.environ", {"APS_username": "other_user"}):
|
||||
response = client.get(f"/shop/order/{order.id}")
|
||||
response = client.get(
|
||||
f"/shop/order/{order.id}", follow_redirects=False, user="other_user"
|
||||
)
|
||||
assert response.status_code == 403
|
||||
|
||||
Reference in New Issue
Block a user