test: add pytest suite covering auth, invites, admin and OIDC flows (59 tests)

2026-06-03 22:10:40 +02:00
parent b61aa39b3b
commit 1d3c25f855
6 changed files with 934 additions and 2 deletions
@@ -0,0 +1,96 @@
+"""Tests for admin user-management endpoints."""
+
+from __future__ import annotations
+
+from .conftest import auth_cookies
+
+
+def test_list_users_admin(client, admin, user):
+    cookies = auth_cookies("admin", "adminpass1", client)
+    r = client.get("/api/admin/users", cookies=cookies)
+    assert r.status_code == 200
+    handles = [u["handle"] for u in r.json()]
+    assert "admin" in handles
+    assert "alice" in handles
+
+
+def test_list_users_non_admin(client, user):
+    cookies = auth_cookies("alice", "alicepass1", client)
+    r = client.get("/api/admin/users", cookies=cookies)
+    assert r.status_code == 403
+
+
+def test_list_users_unauthenticated(client):
+    r = client.get("/api/admin/users")
+    assert r.status_code == 401
+
+
+def test_suspend_and_unsuspend(client, admin, user):
+    cookies = auth_cookies("admin", "adminpass1", client)
+
+    r = client.post("/api/admin/users/alice/suspend", cookies=cookies)
+    assert r.status_code == 200
+    assert r.json()["status"] == "suspended"
+
+    # Suspended user can't log in
+    r2 = client.post("/api/auth/login", json={"handle": "alice", "password": "alicepass1"})
+    assert r2.status_code == 401
+
+    r3 = client.post("/api/admin/users/alice/unsuspend", cookies=cookies)
+    assert r3.status_code == 200
+
+    r4 = client.post("/api/auth/login", json={"handle": "alice", "password": "alicepass1"})
+    assert r4.status_code == 200
+
+
+def test_suspend_self(client, admin):
+    cookies = auth_cookies("admin", "adminpass1", client)
+    r = client.post("/api/admin/users/admin/suspend", cookies=cookies)
+    assert r.status_code == 400
+
+
+def test_delete_user(client, admin, user):
+    cookies = auth_cookies("admin", "adminpass1", client)
+    r = client.delete("/api/admin/users/alice", cookies=cookies)
+    assert r.status_code == 200
+
+    users = client.get("/api/admin/users", cookies=cookies).json()
+    assert not any(u["handle"] == "alice" for u in users)
+
+
+def test_delete_self(client, admin):
+    cookies = auth_cookies("admin", "adminpass1", client)
+    r = client.delete("/api/admin/users/admin", cookies=cookies)
+    assert r.status_code == 400
+
+
+def test_delete_nonexistent_user(client, admin):
+    cookies = auth_cookies("admin", "adminpass1", client)
+    r = client.delete("/api/admin/users/ghost", cookies=cookies)
+    assert r.status_code == 404
+
+
+def test_set_access_flags(client, admin, user):
+    cookies = auth_cookies("admin", "adminpass1", client)
+
+    r = client.patch("/api/admin/users/alice/access",
+                     json={"activity_access": True, "wiki_access": False},
+                     cookies=cookies)
+    assert r.status_code == 200
+
+    users = client.get("/api/admin/users", cookies=cookies).json()
+    alice = next(u for u in users if u["handle"] == "alice")
+    assert alice["activity_access"] is True
+    assert alice["wiki_access"] is False
+
+
+def test_set_access_non_admin(client, user):
+    cookies = auth_cookies("alice", "alicepass1", client)
+    r = client.patch("/api/admin/users/alice/access", json={"wiki_access": False}, cookies=cookies)
+    assert r.status_code == 403
+
+
+def test_reset_password_code_for_unknown_user(client, admin):
+    cookies = auth_cookies("admin", "adminpass1", client)
+    r = client.post("/api/admin/users/ghost/reset-password-code", cookies=cookies)
+    assert r.status_code == 404