feat(admin): Add group admin and test for admin views

2026-01-03 10:39:52 +01:00
parent 927b4b0b4e
commit a6e97c6170
6 changed files with 352 additions and 14 deletions
--- a/test/conftest.py
+++ b/test/conftest.py
@@ -41,10 +41,23 @@ def get_test_session():
 app.dependency_overrides[get_session] = get_test_session


+class APSTestClient(TestClient):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+    def post(self, *args, user: str = "test", **kwargs):
+        with mock.patch.dict(os.environ, {"APS_username": user}, clear=False):
+            return super().post(*args, **kwargs)
+
+    def get(self, *args, user: str = "test", **kwargs):
+        with mock.patch.dict(os.environ, {"APS_username": user}, clear=False):
+            return super().get(*args, **kwargs)
+
+
@pytest.fixture(scope="session")
 def client():
    os.environ["APS_username"] = "test"
-    return TestClient(app)
+    return APSTestClient(app)


@pytest.fixture(scope="session")
--- a/test/test_admin.py
+++ b/test/test_admin.py
@@ -0,0 +1,130 @@
+import pytest
+from fastapi.testclient import TestClient
+from sqlalchemy import select
+from sqlalchemy.orm import Session
+
+from allmende_payment_system.app import app
+from allmende_payment_system.database import ensure_user
+from allmende_payment_system.models import Permission, User, UserGroup
+
+
+@pytest.fixture
+def admin_user(test_db):
+    user_info = {"username": "admin", "display_name": "The Administrator"}
+    user = ensure_user(user_info, test_db)
+
+    group = UserGroup(id=1, name="Admins")
+    group.permissions.append(Permission(scope="user", action="edit"))
+    user.user_groups.append(group)
+    test_db.add(group)
+    test_db.flush()
+    return "admin"
+
+
+def test_user_add_group(test_db, client, admin_user):
+    user_info = {"username": "test", "display_name": "Display Test"}
+    user = ensure_user(user_info, test_db)
+
+    group = UserGroup(name="Bosses")
+    test_db.add(group)
+    test_db.flush()
+
+    assert 0 == len(user.user_groups)
+
+    response = client.post(
+        f"/admin/users/{user.id}/add_group",
+        data={"group_id": group.id},
+        user=admin_user,
+        follow_redirects=False,
+    )
+    assert response.status_code == 303
+
+    user = test_db.execute(select(User).where(User.username == "test")).scalar()
+    assert 1 == len(user.user_groups)
+    assert "Bosses" == user.user_groups[0].name
+
+
+def test_user_remove_group(test_db, client, admin_user):
+    user_info = {"username": "test", "display_name": "Display Test"}
+    user = ensure_user(user_info, test_db)
+
+    group = UserGroup(name="Bosses")
+    test_db.add(group)
+    user.user_groups.append(group)
+    test_db.flush()
+
+    assert 1 == len(user.user_groups)
+
+    response = client.get(
+        f"/admin/users/{user.id}/remove_group/{group.id}",
+        user=admin_user,
+        follow_redirects=False,
+    )
+    assert response.status_code == 303
+
+    user = test_db.execute(select(User).where(User.username == "test")).scalar()
+    assert 0 == len(user.user_groups)
+
+
+def test_group_add_permission(test_db, client, admin_user):
+    group = test_db.query(UserGroup).scalar()
+
+    response = client.post(
+        f"/admin/groups/{group.id}/add_permission",
+        data={"permission": "foo:bar"},
+        user=admin_user,
+        follow_redirects=False,
+    )
+    assert response.status_code == 303
+
+    group = test_db.execute(select(UserGroup).where(UserGroup.id == group.id)).scalar()
+    assert any(
+        perm.scope == "foo" and perm.action == "bar" for perm in group.permissions
+    )
+
+
+def test_group_add_permission_illegal_format(test_db, client, admin_user):
+    group = test_db.query(UserGroup).scalar()
+
+    response = client.post(
+        f"/admin/groups/{group.id}/add_permission",
+        data={"permission": "foobar"},
+        user=admin_user,
+        follow_redirects=False,
+    )
+    assert response.status_code == 400
+
+
+def test_group_remove_permission(test_db, client, admin_user):
+    group = test_db.query(UserGroup).scalar()
+    response = client.get(
+        f"/admin/groups/{group.id}/remove_permission/1",
+        user=admin_user,
+        follow_redirects=False,
+    )
+    assert response.status_code == 303
+    group = test_db.execute(select(UserGroup).where(UserGroup.id == group.id)).scalar()
+    assert 0 == len(group.permissions)
+
+
+def test_create_group(test_db, client, admin_user):
+    response = client.post(
+        "/admin/groups/create",
+        data={"name": "New Group", "description": "A newly created group"},
+        user=admin_user,
+        follow_redirects=False,
+    )
+    assert response.status_code == 303
+    assert test_db.query(UserGroup).filter_by(name="New Group").scalar() is not None
+
+
+def test_delete_group(test_db, client, admin_user):
+    group = UserGroup(name="To Be Deleted")
+    test_db.add(group)
+    test_db.flush()
+    response = client.get(f"/admin/groups/{group.id}/delete", user=admin_user)
+    assert response.status_code == 200
+    assert (
+        test_db.execute(select(UserGroup).where(UserGroup.id == group.id)).scalar()
+        is None
+    )
--- a/test/test_shop.py
+++ b/test/test_shop.py
@@ -2,9 +2,9 @@ from decimal import Decimal
 from unittest import mock

 import pytest
+from conftest import APSTestClient
 from fake_data import fake
 from sqlalchemy import select
-from starlette.testclient import TestClient

 from allmende_payment_system.database import ensure_user
 from allmende_payment_system.models import (
@@ -56,7 +56,7 @@ def product(test_db):
    return product


-def test_add_item_to_cart(client: TestClient, test_db, product):
+def test_add_item_to_cart(client: APSTestClient, test_db, product):

    form_data = {"product_id": product.id, "quantity": 2, "area_id": product.area.id}

@@ -72,7 +72,7 @@ def test_add_item_to_cart(client: TestClient, test_db, product):
    assert len(cart.items) == 1


-def test_edit_item_in_cart(client: TestClient, test_db, product):
+def test_edit_item_in_cart(client: APSTestClient, test_db, product):
    form_data = {"product_id": product.id, "quantity": 2, "area_id": product.area.id}

    response = client.post(
@@ -99,7 +99,7 @@ def test_edit_item_in_cart(client: TestClient, test_db, product):
    assert cart.items[0].total_amount == product.price * 3


-def test_remove_item_from_cart(client: TestClient, test_db, product):
+def test_remove_item_from_cart(client: APSTestClient, test_db, product):

    user = create_user_with_account(test_db, "test")

@@ -122,7 +122,7 @@ def test_remove_item_from_cart(client: TestClient, test_db, product):
    assert len(test_db.scalars(select(OrderItem)).all()) == 0


-def test_remove_item_from_cart_wrong_user(client: TestClient, test_db, product):
+def test_remove_item_from_cart_wrong_user(client: APSTestClient, test_db, product):
    user = create_user_with_account(test_db, "test")

    user.shopping_cart.items.append(
@@ -135,15 +135,16 @@ def test_remove_item_from_cart_wrong_user(client: TestClient, test_db, product):

    id_ = user.shopping_cart.items[0].id

-    with mock.patch.dict("os.environ", {"APS_username": "other_user"}):
-        response = client.get(f"/shop/cart/remove/{id_}", follow_redirects=False)
+    response = client.get(
+        f"/shop/cart/remove/{id_}", follow_redirects=False, user="other_user"
+    )
    assert response.status_code == 404

    cart = test_db.scalar(select(Order))
    assert len(cart.items) == 1


-def test_finalize_order(client: TestClient, test_db, product):
+def test_finalize_order(client: APSTestClient, test_db, product):

    user = create_user_with_account(test_db, "test", balance=100.0)

@@ -161,7 +162,7 @@ def test_finalize_order(client: TestClient, test_db, product):
    assert user.accounts[0].balance == Decimal(100.0) - (product.price * 2)


-def test_view_order(client: TestClient, test_db, product):
+def test_view_order(client: APSTestClient, test_db, product):
    user = create_user_with_account(test_db, "test")

    order = add_finalized_order_to_user(test_db, user, product)
@@ -172,11 +173,12 @@ def test_view_order(client: TestClient, test_db, product):
    assert product.name in response.text


-def test_view_order_wrong_user(client: TestClient, test_db, product):
+def test_view_order_wrong_user(client: APSTestClient, test_db, product):
    user = create_user_with_account(test_db, "test")

    order = add_finalized_order_to_user(test_db, user, product)

-    with mock.patch.dict("os.environ", {"APS_username": "other_user"}):
-        response = client.get(f"/shop/order/{order.id}")
+    response = client.get(
+        f"/shop/order/{order.id}", follow_redirects=False, user="other_user"
+    )
    assert response.status_code == 403