API users: password, plus de tests unitaires, correctifs.

app/api/users.py

@@ -14,9 +14,9 @@ from flask_login import current_user, login_required
 
 from app import db, log
 from app.api import api_bp as bp, api_web_bp
-from app.models.etudiants import Identite
 from app.scodoc.sco_utils import json_error
 from app.auth.models import User, Role, UserRole
+from app.auth.models import is_valid_password
 from app.decorators import scodoc, permission_required
 from app.models import Departement
 from app.scodoc.sco_exceptions import ScoValueError
@@ -38,7 +38,7 @@ def user_info(uid: int):
         return json_error(404, "user not found")
     if g.scodoc_dept:
         allowed_depts = current_user.get_depts_with_permission(Permission.ScoUsersView)
-        if user.dept not in allowed_depts:
+        if (None not in allowed_depts) and (user.dept not in allowed_depts):
             return json_error(404, "user not found")
 
     return jsonify(user.to_dict())
@@ -109,7 +109,7 @@ def user_create():
     if dept == "@all":
         dept = None
     allowed_depts = current_user.get_depts_with_permission(Permission.ScoUsersAdmin)
-    if dept not in allowed_depts:
+    if (None not in allowed_depts) and (dept not in allowed_depts):
         return json_error(403, "user_create: departement non autorise")
     if (dept is not None) and (
         Departement.query.filter_by(acronym=dept).first() is None
@@ -168,6 +168,35 @@ def user_edit(uid: int):
     return jsonify(user.to_dict())
 
 
+@bp.route("/user/<int:uid>/password", methods=["POST"])
+@api_web_bp.route("/user/<int:uid>/password", methods=["POST"])
+@login_required
+@scodoc
+@permission_required(Permission.ScoUsersAdmin)
+def user_password(uid: int):
+    """Modification du mot de passe d'un utilisateur
+    Champs modifiables:
+    {
+        "password": str
+    }
+    Si le mot de passe ne convient pas, erreur 400.
+    """
+    data = request.get_json(force=True)  # may raise 400 Bad Request
+    user: User = User.query.get_or_404(uid)
+    password = data.get("password")
+    if not password:
+        return json_error(404, "user_password: missing password")
+    if not is_valid_password(password):
+        return json_error(400, "user_password: invalid password")
+    allowed_depts = current_user.get_depts_with_permission(Permission.ScoUsersAdmin)
+    if (None not in allowed_depts) and ((user.dept not in allowed_depts)):
+        return json_error(403, "user_password: departement non autorise")
+    user.set_password(password)
+    db.session.add(user)
+    db.session.commit()
+    return jsonify(user.to_dict())
+
+
 @bp.route("/user/<int:uid>/role/<string:role_name>/add", methods=["POST"])
 @api_web_bp.route("/user/<int:uid>/role/<string:role_name>/add", methods=["POST"])
 @bp.route(

tests/api/exemple-api-basic.py

@@ -51,6 +51,7 @@ print(f"API URL={API_URL}")
 
 
 HEADERS = get_auth_headers(API_USER, API_PASSWORD)
+admin_h = get_auth_headers("admin_api", "admin_api")
 
 departements = GET("/departements", headers=HEADERS)
 pp(departements)

tests/api/setup_test_api.py

@@ -76,10 +76,14 @@ def GET(path: str, headers: dict = None, errmsg=None, dept=None):
     return r.json()  # decode la reponse JSON
 
 
-def POST_JSON(path: str, data: dict = {}, headers: dict = None, errmsg=None):
+def POST_JSON(path: str, data: dict = {}, headers: dict = None, errmsg=None, dept=None):
     """Post"""
+    if dept:
+        url = SCODOC_URL + f"/ScoDoc/{dept}/api" + path
+    else:
+        url = API_URL + path
     r = requests.post(
-        API_URL + path,
+        url,
         json=data,
         headers=headers or {},
         verify=CHECK_CERTIFICATE,

tests/api/test_api_users.py

@@ -8,6 +8,7 @@ Utilisation :
 
 from tests.api.setup_test_api import (
     API_URL,
+    APIError,
     CHECK_CERTIFICATE,
     GET,
     POST_JSON,
@@ -83,7 +84,7 @@ def test_edit_users(api_admin_headers):
     assert (nb_users + 1) == len(GET("/users/query", headers=admin_h))
     # Change le dept et rend inactif
     user = POST_JSON(
-        f"/user/edit/{user['id']}",
+        f"/user/{user['id']}/edit",
         {"active": False, "dept": "TAPI"},
         headers=admin_h,
     )
@@ -129,3 +130,102 @@ def test_roles(api_admin_headers):
     assert set(role["permissions"]) == {"ScoView", "ScoAbsAddBillet"}
     ans = POST_JSON("/role/Test_Y/delete", headers=admin_h)
     assert ans["OK"] is True
+
+
+def test_modif_users_depts(api_admin_headers):
+    """
+    Ce test vise à vérifier qu'un admin déclaré sur deux départements peut
+    bien modifier les utilisateurs de ses départements mais pas ceux des autres.
+    """
+    admin_h = api_admin_headers
+    depts = GET("/departements", headers=admin_h)
+    assert len(depts) > 2
+    dept1, dept2, dept3 = depts[:3]
+    # On va utiliser les 3 1er dept (TAPI, AA, BB)
+    # On crée un nouvel utilisateur "chef2", admin dans les 2 premiers dept
+    # puis un utilisateur lambda, dans le dept 2 (AA)
+    chef2 = POST_JSON(
+        "/user/create",
+        {
+            "user_name": "chef2",
+            "nom": "Chef",
+            "prenom": "Test",
+            "dept": dept1["acronym"],  # rattaché à dept1
+        },
+        headers=admin_h,
+    )
+    role_chef = POST_JSON(
+        "/role/create/chef",
+        {"permissions": ["ScoView", "ScoUsersAdmin", "ScoUsersView"]},
+        headers=admin_h,
+    )
+    _ = POST_JSON(
+        f"/user/{chef2['id']}/role/chef/add/departement/{dept1['acronym']}",
+        headers=admin_h,
+    )
+    _ = POST_JSON(
+        f"/user/{chef2['id']}/role/chef/add/departement/{dept2['acronym']}",
+        headers=admin_h,
+    )
+    # Un mot de passe trop simple:
+    ok = False
+    try:
+        _ = POST_JSON(
+            f"/user/{chef2['id']}/password",
+            {"password": "123456"},
+            headers=admin_h,
+        )
+    except APIError as exc:
+        if exc.args[1]["status"] == 400:
+            ok = True
+    assert ok
+    # Un "vrai" mot de passe:
+    chef2_password = "17HIOPpYhabb8qw'E:/jd7FFddjd"
+    _ = POST_JSON(
+        f"/user/{chef2['id']}/password",
+        {"password": chef2_password},
+        headers=admin_h,
+    )
+    # Création user lambda:
+    u_lambda = POST_JSON(
+        "/user/create",
+        {
+            "user_name": "lambda",
+            "nom": "Lambda",
+            "prenom": "Test",
+            "dept": dept2["acronym"],
+        },
+        headers=admin_h,
+    )
+
+    # Le chef va modifier u_lambda:
+    chef_h = get_auth_headers(chef2["user_name"], chef2_password)
+    # on utilise une URL avec département car on n'a pas le droit sur tous:
+    u = POST_JSON(
+        f"/user/{u_lambda['id']}/edit",
+        {"nom": "toto"},
+        headers=chef_h,
+        dept=dept1["acronym"],
+    )
+    assert u["nom"] == "toto"
+    # Dans l'autre ?
+    u = POST_JSON(
+        f"/user/{u_lambda['id']}/edit",
+        {"nom": "toto"},
+        headers=chef_h,
+        dept=dept2["acronym"],
+    )
+    # mais pas dans le troisième:
+    ok = False
+    try:
+        u = POST_JSON(
+            f"/user/{u_lambda['id']}/edit",
+            {"nom": "toto"},
+            headers=chef_h,
+            dept=dept3["acronym"],
+        )
+    except APIError as exc:
+        if exc.args[1]["status"] == 401:
+            ok = True
+    assert ok
+    # Nettoyage: