API users: password, plus de tests unitaires, correctifs.

2022-08-19 12:46:21 +02:00 · 2022-08-19 12:46:21 +02:00 · c6a99dc7d2
commit c6a99dc7d2
parent 64f9de95a5
4 changed files with 140 additions and 6 deletions
--- a/app/api/users.py
+++ b/app/api/users.py
@ -14,9 +14,9 @@ from flask_login import current_user, login_required

 from app import db, log
 from app.api import api_bp as bp, api_web_bp
-from app.models.etudiants import Identite
 from app.scodoc.sco_utils import json_error
 from app.auth.models import User, Role, UserRole
+from app.auth.models import is_valid_password
 from app.decorators import scodoc, permission_required
 from app.models import Departement
 from app.scodoc.sco_exceptions import ScoValueError
@ -38,7 +38,7 @@ def user_info(uid: int):
        return json_error(404, "user not found")
    if g.scodoc_dept:
        allowed_depts = current_user.get_depts_with_permission(Permission.ScoUsersView)
-        if user.dept not in allowed_depts:
+        if (None not in allowed_depts) and (user.dept not in allowed_depts):
            return json_error(404, "user not found")

    return jsonify(user.to_dict())
@ -109,7 +109,7 @@ def user_create():
    if dept == "@all":
        dept = None
    allowed_depts = current_user.get_depts_with_permission(Permission.ScoUsersAdmin)
-    if dept not in allowed_depts:
+    if (None not in allowed_depts) and (dept not in allowed_depts):
        return json_error(403, "user_create: departement non autorise")
    if (dept is not None) and (
        Departement.query.filter_by(acronym=dept).first() is None
@ -168,6 +168,35 @@ def user_edit(uid: int):
    return jsonify(user.to_dict())


+@bp.route("/user/<int:uid>/password", methods=["POST"])
+@api_web_bp.route("/user/<int:uid>/password", methods=["POST"])
+@login_required
+@scodoc
+@permission_required(Permission.ScoUsersAdmin)
+def user_password(uid: int):
+    """Modification du mot de passe d'un utilisateur
+    Champs modifiables:
+    {
+        "password": str
+    }
+    Si le mot de passe ne convient pas, erreur 400.
+    """
+    data = request.get_json(force=True)  # may raise 400 Bad Request
+    user: User = User.query.get_or_404(uid)
+    password = data.get("password")
+    if not password:
+        return json_error(404, "user_password: missing password")
+    if not is_valid_password(password):
+        return json_error(400, "user_password: invalid password")
+    allowed_depts = current_user.get_depts_with_permission(Permission.ScoUsersAdmin)
+    if (None not in allowed_depts) and ((user.dept not in allowed_depts)):
+        return json_error(403, "user_password: departement non autorise")
+    user.set_password(password)
+    db.session.add(user)
+    db.session.commit()
+    return jsonify(user.to_dict())
+
+
@bp.route("/user/<int:uid>/role/<string:role_name>/add", methods=["POST"])
@api_web_bp.route("/user/<int:uid>/role/<string:role_name>/add", methods=["POST"])
@bp.route(
--- a/tests/api/exemple-api-basic.py
+++ b/tests/api/exemple-api-basic.py
@ -51,6 +51,7 @@ print(f"API URL={API_URL}")


 HEADERS = get_auth_headers(API_USER, API_PASSWORD)
+admin_h = get_auth_headers("admin_api", "admin_api")

 departements = GET("/departements", headers=HEADERS)
 pp(departements)
--- a/tests/api/setup_test_api.py
+++ b/tests/api/setup_test_api.py
@ -76,10 +76,14 @@ def GET(path: str, headers: dict = None, errmsg=None, dept=None):
    return r.json()  # decode la reponse JSON


-def POST_JSON(path: str, data: dict = {}, headers: dict = None, errmsg=None):
+def POST_JSON(path: str, data: dict = {}, headers: dict = None, errmsg=None, dept=None):
    """Post"""
+    if dept:
+        url = SCODOC_URL + f"/ScoDoc/{dept}/api" + path
+    else:
+        url = API_URL + path
    r = requests.post(
-        API_URL + path,
+        url,
        json=data,
        headers=headers or {},
        verify=CHECK_CERTIFICATE,
--- a/tests/api/test_api_users.py
+++ b/tests/api/test_api_users.py
@ -8,6 +8,7 @@ Utilisation :

 from tests.api.setup_test_api import (
    API_URL,
+    APIError,
    CHECK_CERTIFICATE,
    GET,
    POST_JSON,
@ -83,7 +84,7 @@ def test_edit_users(api_admin_headers):
    assert (nb_users + 1) == len(GET("/users/query", headers=admin_h))
    # Change le dept et rend inactif
    user = POST_JSON(
-        f"/user/edit/{user['id']}",
+        f"/user/{user['id']}/edit",
        {"active": False, "dept": "TAPI"},
        headers=admin_h,
    )
@ -129,3 +130,102 @@ def test_roles(api_admin_headers):
    assert set(role["permissions"]) == {"ScoView", "ScoAbsAddBillet"}
    ans = POST_JSON("/role/Test_Y/delete", headers=admin_h)
    assert ans["OK"] is True
+
+
+def test_modif_users_depts(api_admin_headers):
+    """
+    Ce test vise à vérifier qu'un admin déclaré sur deux départements peut
+    bien modifier les utilisateurs de ses départements mais pas ceux des autres.
+    """
+    admin_h = api_admin_headers
+    depts = GET("/departements", headers=admin_h)
+    assert len(depts) > 2
+    dept1, dept2, dept3 = depts[:3]
+    # On va utiliser les 3 1er dept (TAPI, AA, BB)
+    # On crée un nouvel utilisateur "chef2", admin dans les 2 premiers dept
+    # puis un utilisateur lambda, dans le dept 2 (AA)
+    chef2 = POST_JSON(
+        "/user/create",
+        {
+            "user_name": "chef2",
+            "nom": "Chef",
+            "prenom": "Test",
+            "dept": dept1["acronym"],  # rattaché à dept1
+        },
+        headers=admin_h,
+    )
+    role_chef = POST_JSON(
+        "/role/create/chef",
+        {"permissions": ["ScoView", "ScoUsersAdmin", "ScoUsersView"]},
+        headers=admin_h,
+    )
+    _ = POST_JSON(
+        f"/user/{chef2['id']}/role/chef/add/departement/{dept1['acronym']}",
+        headers=admin_h,
+    )
+    _ = POST_JSON(
+        f"/user/{chef2['id']}/role/chef/add/departement/{dept2['acronym']}",
+        headers=admin_h,
+    )
+    # Un mot de passe trop simple:
+    ok = False
+    try:
+        _ = POST_JSON(
+            f"/user/{chef2['id']}/password",
+            {"password": "123456"},
+            headers=admin_h,
+        )
+    except APIError as exc:
+        if exc.args[1]["status"] == 400:
+            ok = True
+    assert ok
+    # Un "vrai" mot de passe:
+    chef2_password = "17HIOPpYhabb8qw'E:/jd7FFddjd"
+    _ = POST_JSON(
+        f"/user/{chef2['id']}/password",
+        {"password": chef2_password},
+        headers=admin_h,
+    )
+    # Création user lambda:
+    u_lambda = POST_JSON(
+        "/user/create",
+        {
+            "user_name": "lambda",
+            "nom": "Lambda",
+            "prenom": "Test",
+            "dept": dept2["acronym"],
+        },
+        headers=admin_h,
+    )
+
+    # Le chef va modifier u_lambda:
+    chef_h = get_auth_headers(chef2["user_name"], chef2_password)
+    # on utilise une URL avec département car on n'a pas le droit sur tous:
+    u = POST_JSON(
+        f"/user/{u_lambda['id']}/edit",
+        {"nom": "toto"},
+        headers=chef_h,
+        dept=dept1["acronym"],
+    )
+    assert u["nom"] == "toto"
+    # Dans l'autre ?
+    u = POST_JSON(
+        f"/user/{u_lambda['id']}/edit",
+        {"nom": "toto"},
+        headers=chef_h,
+        dept=dept2["acronym"],
+    )
+    # mais pas dans le troisième:
+    ok = False
+    try:
+        u = POST_JSON(
+            f"/user/{u_lambda['id']}/edit",
+            {"nom": "toto"},
+            headers=chef_h,
+            dept=dept3["acronym"],
+        )
+    except APIError as exc:
+        if exc.args[1]["status"] == 401:
+            ok = True
+    assert ok
+    # Nettoyage: