-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
toavina
committed
Feb 3, 2025
1 parent
db8f653
commit 69a3ad3
Showing
1 changed file
with
88 additions
and
100 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -15,6 +15,7 @@ def base_user(self): | |
| image_url='/images/test-image.jpg' | ||
| ) | ||
|
|
||
|
|
||
| def test_user_create_with_valid_data(self): | ||
| """Test user creation with valid local image URL succeeds.""" | ||
| user_dict = { | ||
|
|
@@ -28,6 +29,7 @@ def test_user_create_with_valid_data(self): | |
| assert user['email'] == user_dict['email'] | ||
| assert user['image_url'] == user_dict['image_url'] | ||
|
|
||
|
|
||
| @pytest.mark.parametrize("image_url", [ | ||
| 'http://example.com/image.jpg', | ||
| 'https://example.com/image.jpg', | ||
|
|
@@ -41,11 +43,13 @@ def test_user_create_with_external_image_fails(self, image_url): | |
| ) | ||
| assert 'Image URL must be a local path. External URLs are not allowed' in str(exception_info.value) | ||
|
|
||
|
|
||
| def test_user_create_without_image_url(self): | ||
| """Test user creation succeeds without an image URL.""" | ||
| user = factories.User(image_url=None) | ||
| assert 'image_url' not in user or not user['image_url'] | ||
|
|
||
|
|
||
| def test_user_update_with_valid_data(self, base_user): | ||
| """Test user update with valid local image URL succeeds.""" | ||
| update_dict = { | ||
|
|
@@ -73,112 +77,96 @@ def test_user_update_without_image_url(self, base_user): | |
| ) | ||
| assert updated_user['image_url'] == original_image_url | ||
|
|
||
| # WEB API | ||
| @pytest.mark.usefixtures('clean_db', 'with_plugins', 'with_request_context') | ||
| def test_api_user_create_with_external_image(self, app): | ||
| """Test that the API blocks external images during user creation.""" | ||
| sysadmin = factories.Sysadmin(image_url='') | ||
| env = {'REMOTE_USER': sysadmin['name']} | ||
| class TestSecureUserAPI: | ||
|
|
||
| def test_api_user_create_with_external_image(self, _call_api, _assert): | ||
| """Test that the API blocks external images during user creation.""" | ||
| user_dict = { | ||
| 'name': 'apitestuser', | ||
| 'email': '[email protected]', | ||
| 'password': 'APITestPass123', | ||
| 'image_url': 'https://example.com/image.jpg' | ||
| } | ||
| _assert( | ||
| _call_api(user_dict, 'user_create', True), | ||
| False | ||
| ) | ||
|
|
||
| user_dict = { | ||
| 'name': 'apitestuser', | ||
| 'email': '[email protected]', | ||
| 'password': 'APITestPass123', | ||
| 'image_url': 'https://example.com/image.jpg' | ||
| } | ||
| url = toolkit.url_for('api.action', ver=3, logic_function='user_create') | ||
| response = app.post( | ||
| url, | ||
| json=user_dict, | ||
| extra_environ=env, | ||
| expect_errors=True | ||
| ) | ||
| assert response.status_code == 409 | ||
| error_dict = response.json | ||
| assert error_dict['success'] is False | ||
| assert 'Image URL must be a local path' in str(error_dict['error']) | ||
|
|
||
| def test_api_user_create_with_valid_image(self, _call_api, _assert): | ||
| """Test that the API allows local image paths during user creation.""" | ||
| user_dict = { | ||
| 'name': 'apitestuser', | ||
| 'email': '[email protected]', | ||
| 'password': 'APITestPass123', | ||
| 'image_url': '/images/test-image.jpg' | ||
| } | ||
| _assert( | ||
| _call_api(user_dict, 'user_create'), | ||
| True | ||
| ) | ||
|
|
||
| @pytest.mark.usefixtures('clean_db', 'with_plugins', 'with_request_context') | ||
| def test_api_user_create_with_valid_image(self, app): | ||
| """Test that the API allows local image paths during user creation.""" | ||
| # Create sysadmin with a valid local image URL | ||
| sysadmin = factories.Sysadmin( | ||
| image_url='/images/default-user.png' | ||
| ) | ||
| env = {'REMOTE_USER': sysadmin['name']} | ||
| user_dict = { | ||
| 'name': 'apitestuser', | ||
| 'email': '[email protected]', | ||
| 'password': 'APITestPass123', | ||
| 'image_url': '/images/test-user.jpg' | ||
| } | ||
|
|
||
| url = toolkit.url_for('api.action', ver=3, logic_function='user_create') | ||
| response = app.post( | ||
| url, | ||
| json=user_dict, | ||
| extra_environ=env | ||
| ) | ||
| assert response.status_code == 200 | ||
| response_dict = response.json | ||
| assert response_dict['success'] is True | ||
| assert response_dict['result']['image_url'] == '/images/test-user.jpg' | ||
| def test_api_user_update_with_external_image(self, _call_api, _assert): | ||
| """Test that the API blocks external images during user update.""" | ||
| user = factories.User( | ||
| image_url='/images/default-user.png' | ||
| ) | ||
| update_dict = { | ||
| 'id': user['id'], | ||
| 'email': '[email protected]', | ||
| 'image_url': 'https://example.com/image.jpg' | ||
| } | ||
| _assert( | ||
| _call_api(update_dict, 'user_update', True), | ||
| False | ||
| ) | ||
|
|
||
| @pytest.mark.usefixtures('clean_db', 'with_plugins', 'with_request_context') | ||
| def test_api_user_update_with_external_image(self, app): | ||
| """Test that the API blocks external images during user update.""" | ||
| # Create a regular user first | ||
| user = factories.User( | ||
| image_url='/images/default-user.png' | ||
| ) | ||
| sysadmin = factories.Sysadmin( | ||
| image_url='/images/default-user.png' | ||
| ) | ||
| env = {'REMOTE_USER': sysadmin['name']} | ||
|
|
||
| # Try to update with external image | ||
| update_dict = { | ||
| 'id': user['id'], | ||
| 'email': '[email protected]', | ||
| 'image_url': 'https://example.com/image.jpg' | ||
| } | ||
| url = toolkit.url_for('api.action', ver=3, logic_function='user_update') | ||
| response = app.post( | ||
| url, | ||
| json=update_dict, | ||
| extra_environ=env, | ||
| expect_errors=True | ||
| ) | ||
| assert response.status_code == 409 | ||
| error_dict = response.json | ||
| assert error_dict['success'] is False | ||
| assert 'Image URL must be a local path' in str(error_dict['error']['image_url'][0]) | ||
| def test_api_user_update_with_valid_image(self, _call_api, _assert): | ||
| """Test that the API allows local image paths during user update.""" | ||
| user = factories.User( | ||
| image_url='/images/default-user.png' | ||
| ) | ||
| update_dict = { | ||
| 'id': user['id'], | ||
| 'email': '[email protected]', | ||
| 'image_url': '/images/updated-user.jpg' | ||
| } | ||
| _assert( | ||
| _call_api(update_dict, 'user_update'), | ||
| True, | ||
| '/images/updated-user.jpg' | ||
| ) | ||
|
|
||
| @pytest.mark.usefixtures('clean_db', 'with_plugins', 'with_request_context') | ||
| def test_api_user_update_with_valid_image(self, app): | ||
| """Test that the API allows local image paths during user update.""" | ||
| # Create a regular user first | ||
| user = factories.User( | ||
| image_url='/images/default-user.png' | ||
| ) | ||
| sysadmin = factories.Sysadmin( | ||
| image_url='/images/default-user.png' | ||
| ) | ||
| env = {'REMOTE_USER': sysadmin['name']} | ||
| # Update with valid local image | ||
| update_dict = { | ||
| 'id': user['id'], | ||
| 'email': '[email protected]', | ||
| 'image_url': '/images/updated-user.jpg' | ||
| } | ||
| url = toolkit.url_for('api.action', ver=3, logic_function='user_update') | ||
| response = app.post( | ||
| url, | ||
| json=update_dict, | ||
| extra_environ=env | ||
| ) | ||
|
|
||
| assert response.status_code == 200 | ||
| response_dict = response.json | ||
| assert response_dict['success'] is True | ||
| assert response_dict['result']['image_url'] == '/images/updated-user.jpg' | ||
| def test_api_user_create_without_image(self, _call_api, _assert): | ||
| """Test that the API allows user creation without an image URL.""" | ||
| user_dict = { | ||
| 'name': 'testuser', | ||
| 'email': '[email protected]', | ||
| 'password': 'SecurePassword123' | ||
| } | ||
| _assert( | ||
| _call_api(user_dict, 'user_create'), | ||
| True, | ||
| expected_image_url=None | ||
| ) | ||
|
|
||
| def test_api_user_update_remove_image(self, _call_api, _assert): | ||
| """Test that the API allows removing image URL during user update.""" | ||
| user = factories.User( | ||
| image_url='/images/default-user.png' | ||
| ) | ||
| update_dict = { | ||
| 'id': user['id'], | ||
| 'email': '[email protected]', | ||
| 'image_url': '' | ||
| } | ||
| _assert( | ||
| _call_api(update_dict, 'user_update'), | ||
| True, | ||
| expected_image_url='' | ||
| ) | ||