Mercurial > gemma
comparison schema/manage_users_tests.sql @ 319:ac760b0f22a9
Add special role for password reset
As password reset is exposed without requiring a login, let this role
have privileges limited to reseting passwords, and only reseting passwords.
author | Tom Gottfried <tom@intevation.de> |
---|---|
date | Thu, 02 Aug 2018 13:06:39 +0200 |
parents | 750a9c9cd965 |
children | 363983d5c567 |
comparison
equal
deleted
inserted
replaced
318:1a2dfd9351e9 | 319:ac760b0f22a9 |
---|---|
253 SELECT throws_ok($$ | 253 SELECT throws_ok($$ |
254 SELECT sys_admin.delete_user(CAST(current_user AS varchar)) | 254 SELECT sys_admin.delete_user(CAST(current_user AS varchar)) |
255 $$, | 255 $$, |
256 55006, NULL, | 256 55006, NULL, |
257 'Current user cannot be deleted'); | 257 'Current user cannot be deleted'); |
258 | |
259 | |
260 -- | |
261 -- Password reset | |
262 -- | |
263 | |
264 -- Workaround broken relocatability of pgtap (otherwise we could | |
265 -- put pgtap in its own schema and GRANT USAGE to PUBLIC on it) | |
266 RESET SESSION AUTHORIZATION; | |
267 GRANT USAGE ON SCHEMA public TO pw_reset; | |
268 | |
269 SET SESSION AUTHORIZATION test_pw_reset; | |
270 | |
271 SELECT isnt_empty($$ | |
272 SELECT username, email_address FROM pw_reset.list_users | |
273 $$, | |
274 'Special role can see users with their email addresses'); | |
275 | |
276 SELECT results_eq($$ | |
277 UPDATE pw_reset.list_users | |
278 SET pw = 'user_at2!' WHERE username = 'test_user_at' | |
279 RETURNING email_address | |
280 $$, | |
281 $$ | |
282 SELECT email_address FROM pw_reset.list_users | |
283 WHERE username = 'test_user_at' | |
284 $$, | |
285 'Special role can update password'); | |
286 | |
287 SELECT throws_ok($$ | |
288 UPDATE pw_reset.list_users | |
289 SET username = 'test_rename', email_address = 'test' | |
290 $$, | |
291 42501, NULL, | |
292 'Special role cannot update arbitrary user attributes'); |