davical/testing/tests/webui/0004-principal-edit.test

MODE=TAP,43

BEGINPERL

my $mech;

subtest 'Login' => sub {
    plan tests => 4;

    $mech = webui_login(
        username => 'user4',
        password => 'user4',
        url      => "http://$webhost",
    );
};

$mech->follow_link( text_regex => qr/View My Details/ );
$mech->form_number(1);
is($mech->value('xxxxusername'), 'user4', 'Username field correct');
is($mech->value('principal_id'), '1005', 'princial_id hidden field correct');
is($mech->value('newpass1'), '@@@@@@@@@@', 'New password field 1 correct');
is($mech->value('newpass2'), '@@@@@@@@@@', 'New password field 2 correct');
is($mech->value('fullname'), 'User 4', 'Fullname field correct');
is($mech->value('email'), 'user4@example.net', 'Email field correct');
is($mech->value('locale'), '', 'Locale field correct');
is($mech->value('date_format_type'), 'E', 'Date format type field correct');
is($mech->value('type_id'), 1, 'Type field correct');
$mech->content_lacks('is_admin', 'Is Admin field missing');
$mech->content_lacks('user_active', 'User Active field missing');

# Test invalid password change
$mech->submit_form_ok(
    {
        form_number => 1,
        button      => 'submit',
        fields      => {
            newpass1 => 'a password',
            newpass2 => 'a different password',
        },
    }, "Submit mismatching passwords"
);
#$mech->save_content('/tmp/form.html');

$mech->content_contains(
    'Password not updated. The supplied passwords do not match.',
    'Password change error displayed')
    || BAIL_OUT("Password error not returned, all hope is lost");

# Ensure we can still login with the old password.
subtest 'Login with old password' => sub {
    plan tests => 4;

    $mech = webui_login(
        username => 'user4',
        password => 'user4',
        url      => "http://$webhost",
    );
};

$mech->follow_link( text_regex => qr/View My Details/ );

# Test valid password change
$mech->submit_form_ok(
    {
        form_number => 1,
        button      => 'submit',
        fields      => {
            newpass1 => 'a new password',
            newpass2 => 'a new password',
        },
    }, "Submit matching passwords"
);

$mech->content_lacks(
    'Password not updated. The supplied passwords do not match.',
    'Password change error displayed')
    || BAIL_OUT("Password has probably not changed, all hope is lost");

# Ensure we can't login with the old password.
subtest 'Login with old password' => sub {
    plan tests => 4;

    $mech = webui_login(
        username => 'user4',
        password => 'user4',
        url      => "http://$webhost",
        failauth => 1,
    );
};

# Ensure we can login with the new password.
subtest 'Login with new password' => sub {
    plan tests => 4;

    $mech = webui_login(
        username => 'user4',
        password => 'a new password',
        url      => "http://$webhost",
    );
};

$mech->follow_link( text_regex => qr/View My Details/ );

$mech->form_number(1);

# Non-admin user shouldn't be able to change is_admin or user_active flags.
$mech->submit_form_ok(
    {
        form_number => 1,
        button      => 'submit',
        fields      => {
            xxxxusername     => 'user99',
            fullname         => 'User 99',
            email            => 'user99@example.net',
            locale           => 'en',
            date_format_type => 'I',
            type_id          => 2,
            is_admin         => 'off',
            user_active      => 'off',
        },
    }, "Submit updated fields"
);

# Ensure we can login with new username.
subtest 'Login with new username' => sub {
    plan tests => 4;

    $mech = webui_login(
        username => 'user99',
        password => 'a new password',
        url      => "http://$webhost",
    );
};

$mech->follow_link( text_regex => qr/View My Details/ );
$mech->form_number(1);
is($mech->value('xxxxusername'), 'user99', 'Username field correct');
is($mech->value('principal_id'), '1005', 'princial_id hidden field correct');
is($mech->value('fullname'), 'User 99', 'Fullname field correct');
is($mech->value('email'), 'user99@example.net', 'Email field correct');
is($mech->value('locale'), 'en', 'Locale field correct');
is($mech->value('date_format_type'), 'I', 'Date format type field correct');
is($mech->value('type_id'), 2, 'Type field correct');

my $action = $mech->form_number(1)->action;
$action =~ s/id=1005/id=1003/;
$mech->form_number(1)->action($action);

# Submit changes to another user we don't have access to.
$mech->submit_form_ok(
    {
        form_number => 1,
        button      => 'submit',
        fields      => {
            principal_id     => '1003',
            xxxxusername     => 'user98',
            newpass1         => 'another password',
            newpass2         => 'another password',
            fullname         => 'User 98',
            email            => 'user98@example.net',
            locale           => 'en',
            date_format_type => 'I',
            type_id          => 2,
            is_admin         => 'off',
            user_active      => 'off',
        },
    }, "Submit updated fields on a user we have no access to"
);

$mech->content_contains(
    'You do not have permission to modify this record.',
    'Error message denying access displayed');

# Fetch details for another user, make sure any sensitive sections are not
# visible. Also, no need to show the change password fields.
$mech->get_ok($action, "Fetch details page for principal ID 1003");

$mech->content_contains('Principal: User 2', 'Looking at principal ID 1003');

for my $missing_text ('Change Password', 'Confirm Password', 'Group Memberships',
    'Principal Grants', 'Access Tickets', 'Principal Collections',
    'Bindings to other collections',
    'Bindings to this Principal\'s Collections') {

    $mech->content_lacks($missing_text, "$missing_text missing");
}

# Invalidate the CSRF token to make sure the correct error is thrown.
$mech->follow_link( text_regex => qr/View My Details/ );
$mech->form_number(1);
$mech->submit_form_ok(
    {
        form_number => 1,
        button      => 'submit',
        fields      => {
            csrf_token  => 'bogus',
            email       => 'bogus-csrf@example.net',
        },
    }, "Submit form with bogus CSRF fields"
);

$mech->content_contains(
    'A valid CSRF token must be provided',
    'Error message rejecting CSRF displayed');

is($mech->value('email'), 'user99@example.net', 'Email field back to previous value');


ENDPERL


# Test the user we modified to ensure fields are set.
BEGINQUERY
SELECT user_active, username, password <> '**user4' AS password_changed, fullname, email,
    date_format_type, locale, type_id, displayname, dav_name
FROM dav_principal
WHERE principal_id = 1005;
ENDQUERY

# Test some other users we've not modified to ensure they've stayed the same.
BEGINQUERY
SELECT user_active, username, password = '**user1' AS password_same, fullname, email,
    date_format_type, locale, type_id, displayname, dav_name
FROM dav_principal
WHERE principal_id IN (1002, 1003)
ORDER BY principal_id;
ENDQUERY