from django.test import TestCase
from django.contrib.auth import get_user_model
from rest_framework.test import APIClient


class UserViewAnonymousTests(TestCase):
	def setUp(self):
		self.client = APIClient()
		User = get_user_model()
		self.target_user = User.objects.create_user(
			username="target",
			email="target@example.com",
			password="pass1234",
			is_active=True,
		)

	def test_anonymous_update_user_is_forbidden_and_does_not_crash(self):
		url = f"/api/account/users/{self.target_user.id}/"
		payload = {"username": "newname", "email": self.target_user.email}
		resp = self.client.put(url, data=payload, format="json")
		# Expect 403 Forbidden (permission denied), but most importantly no 500 error
		self.assertEqual(resp.status_code, 403, msg=f"Unexpected status: {resp.status_code}, body={getattr(resp, 'data', resp.content)}")

	def test_anonymous_retrieve_user_is_unauthorized(self):
		url = f"/api/account/users/{self.target_user.id}/"
		resp = self.client.get(url)
		# Retrieve requires authentication per view; expect 401 Unauthorized
		self.assertEqual(resp.status_code, 401, msg=f"Unexpected status: {resp.status_code}, body={getattr(resp, 'data', resp.content)}")