29 lines
1.2 KiB
Python
29 lines
1.2 KiB
Python
from django.test import TestCase
|
|
from django.contrib.auth import get_user_model
|
|
from rest_framework.test import APIClient
|
|
|
|
|
|
class UserViewAnonymousTests(TestCase):
|
|
def setUp(self):
|
|
self.client = APIClient()
|
|
User = get_user_model()
|
|
self.target_user = User.objects.create_user(
|
|
username="target",
|
|
email="target@example.com",
|
|
password="pass1234",
|
|
is_active=True,
|
|
)
|
|
|
|
def test_anonymous_update_user_is_forbidden_and_does_not_crash(self):
|
|
url = f"/api/account/users/{self.target_user.id}/"
|
|
payload = {"username": "newname", "email": self.target_user.email}
|
|
resp = self.client.put(url, data=payload, format="json")
|
|
# Expect 403 Forbidden (permission denied), but most importantly no 500 error
|
|
self.assertEqual(resp.status_code, 403, msg=f"Unexpected status: {resp.status_code}, body={getattr(resp, 'data', resp.content)}")
|
|
|
|
def test_anonymous_retrieve_user_is_unauthorized(self):
|
|
url = f"/api/account/users/{self.target_user.id}/"
|
|
resp = self.client.get(url)
|
|
# Retrieve requires authentication per view; expect 401 Unauthorized
|
|
self.assertEqual(resp.status_code, 401, msg=f"Unexpected status: {resp.status_code}, body={getattr(resp, 'data', resp.content)}")
|