From dd3690dd6aac1d65c2a2916d949e9ca979abced0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=BE=9D=E7=91=AA=E8=B2=93?= <imacat@mail.imacat.idv.tw>
Date: Wed, 1 Feb 2023 23:59:42 +0800
Subject: [PATCH] Added the AccountTestCase test case with the test_nobody and
 test_viewer tests.

---
 tests/test_account.py | 126 ++++++++++++++++++++++++++++++++++++++++++
 tests/testlib.py      |  34 ++++++++++++
 2 files changed, 160 insertions(+)

diff --git a/tests/test_account.py b/tests/test_account.py
index 0727f41..f2b07f1 100644
--- a/tests/test_account.py
+++ b/tests/test_account.py
@@ -20,11 +20,13 @@
 """
 import unittest
 
+import httpx
 import sqlalchemy as sa
 from click.testing import Result
 from flask import Flask
 from flask.testing import FlaskCliRunner
 
+from testlib import UserClient, get_user_client
 from testsite import create_app
 
 
@@ -80,3 +82,127 @@ class AccountCommandTestCase(unittest.TestCase):
             self.assertEqual(account.title_l10n, base.title_l10n)
             self.assertEqual({x.locale: x.title for x in account.l10n},
                              {x.locale: x.title for x in base.l10n})
+
+
+class AccountTestCase(unittest.TestCase):
+    """The account test case."""
+
+    def setUp(self) -> None:
+        """Sets up the test.
+        This is run once per test.
+
+        :return: None.
+        """
+        self.app: Flask = create_app(is_testing=True)
+
+        runner: FlaskCliRunner = self.app.test_cli_runner()
+        with self.app.app_context():
+            from accounting.database import db
+            from accounting.models import BaseAccount, Account, AccountL10n
+            result: Result
+            result = runner.invoke(args="init-db")
+            self.assertEqual(result.exit_code, 0)
+            if BaseAccount.query.first() is None:
+                result = runner.invoke(args="accounting-init-base")
+                self.assertEqual(result.exit_code, 0)
+            AccountL10n.query.delete()
+            Account.query.delete()
+            db.session.commit()
+
+        self.viewer: UserClient = get_user_client(self, self.app, "viewer")
+        self.editor: UserClient = get_user_client(self, self.app, "editor")
+        self.nobody: UserClient = get_user_client(self, self.app, "nobody")
+
+        client: httpx.Client = self.editor.client
+        csrf_token: str = self.editor.csrf_token
+        response: httpx.Response
+
+        response = client.post("/accounting/accounts/store",
+                               data={"csrf_token": csrf_token,
+                                     "base_code": "1111",
+                                     "title": "1111 title"})
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.headers["Location"],
+                         "/accounting/accounts/1111-001")
+
+        response = client.post("/accounting/accounts/store",
+                               data={"csrf_token": csrf_token,
+                                     "base_code": "1112",
+                                     "title": "1112 title"})
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.headers["Location"],
+                         "/accounting/accounts/1112-001")
+
+    def test_nobody(self) -> None:
+        """Test the permission as nobody.
+
+        :return: None.
+        """
+        response: httpx.Response
+        client: httpx.Client = self.nobody.client
+        csrf_token: str = self.nobody.csrf_token
+
+        response = client.get("/accounting/accounts")
+        self.assertEqual(response.status_code, 403)
+
+        response = client.get("/accounting/accounts/1111-001")
+        self.assertEqual(response.status_code, 403)
+
+        response = client.get("/accounting/accounts/create")
+        self.assertEqual(response.status_code, 403)
+
+        response = client.post("/accounting/accounts/store",
+                               data={"csrf_token": csrf_token,
+                                     "base_code": "1113",
+                                     "title": "1113 title"})
+        self.assertEqual(response.status_code, 403)
+
+        response = client.get("/accounting/accounts/1111-001/edit")
+        self.assertEqual(response.status_code, 403)
+
+        response = client.post("/accounting/accounts/1111-001/update",
+                               data={"csrf_token": csrf_token,
+                                     "base_code": "1111",
+                                     "title": "1111 title #2"})
+        self.assertEqual(response.status_code, 403)
+
+        response = client.post("/accounting/accounts/1111-001/delete",
+                               data={"csrf_token": csrf_token})
+        self.assertEqual(response.status_code, 403)
+
+    def test_viewer(self) -> None:
+        """Test the permission as viewer.
+
+        :return: None.
+        """
+        response: httpx.Response
+        client: httpx.Client = self.viewer.client
+        csrf_token: str = self.viewer.csrf_token
+
+        response = client.get("/accounting/accounts")
+        self.assertEqual(response.status_code, 200)
+
+        response = client.get("/accounting/accounts/1111-001")
+        self.assertEqual(response.status_code, 200)
+
+        response = client.get("/accounting/accounts/create")
+        self.assertEqual(response.status_code, 403)
+
+        response = client.post("/accounting/accounts/store",
+                               data={"csrf_token": csrf_token,
+                                     "base_code": "1113",
+                                     "title": "1113 title"})
+        self.assertEqual(response.status_code, 403)
+
+        response = client.get("/accounting/accounts/1111-001/edit")
+        self.assertEqual(response.status_code, 403)
+
+        response = client.post("/accounting/accounts/1111-001/update",
+                               data={"csrf_token": csrf_token,
+                                     "base_code": "1111",
+                                     "title": "1111 title #2"})
+        self.assertEqual(response.status_code, 403)
+
+        response = client.post("/accounting/accounts/1111-001/delete",
+                               data={"csrf_token": csrf_token})
+        self.assertEqual(response.status_code, 403)
diff --git a/tests/testlib.py b/tests/testlib.py
index e00a5e6..51438be 100644
--- a/tests/testlib.py
+++ b/tests/testlib.py
@@ -21,6 +21,40 @@ from html.parser import HTMLParser
 from unittest import TestCase
 
 import httpx
+from flask import Flask
+
+
+class UserClient:
+    """A user client."""
+
+    def __init__(self, client: httpx.Client, csrf_token: str):
+        """Constructs a user client.
+
+        :param client: The client.
+        :param csrf_token: The CSRF token.
+        """
+        self.client: httpx.Client = client
+        self.csrf_token: str = csrf_token
+
+
+def get_user_client(test_case: TestCase, app: Flask, username: str) \
+        -> UserClient:
+    """Returns a user client.
+
+    :param test_case: The test case.
+    :param app: The Flask application.
+    :param username: The username.
+    :return: The user client.
+    """
+    client: httpx.Client = httpx.Client(app=app, base_url="https://testserver")
+    client.headers["Referer"] = "https://testserver"
+    csrf_token: str = get_csrf_token(test_case, client, "/login")
+    response: httpx.Response = client.post("/login",
+                                           data={"csrf_token": csrf_token,
+                                                 "username": username})
+    test_case.assertEqual(response.status_code, 302)
+    test_case.assertEqual(response.headers["Location"], "/")
+    return UserClient(client, csrf_token)
 
 
 def get_csrf_token(test_case: TestCase, client: httpx.Client, uri: str) -> str: