Mercurial > gemma
comparison schema/manage_users_tests.sql @ 319:ac760b0f22a9
Add special role for password reset
As password reset is exposed without requiring a login, let this role
have privileges limited to reseting passwords, and only reseting passwords.
| author | Tom Gottfried <tom@intevation.de> |
|---|---|
| date | Thu, 02 Aug 2018 13:06:39 +0200 |
| parents | 750a9c9cd965 |
| children | 363983d5c567 |
comparison
equal
deleted
inserted
replaced
| 318:1a2dfd9351e9 | 319:ac760b0f22a9 |
|---|---|
| 253 SELECT throws_ok($$ | 253 SELECT throws_ok($$ |
| 254 SELECT sys_admin.delete_user(CAST(current_user AS varchar)) | 254 SELECT sys_admin.delete_user(CAST(current_user AS varchar)) |
| 255 $$, | 255 $$, |
| 256 55006, NULL, | 256 55006, NULL, |
| 257 'Current user cannot be deleted'); | 257 'Current user cannot be deleted'); |
| 258 | |
| 259 | |
| 260 -- | |
| 261 -- Password reset | |
| 262 -- | |
| 263 | |
| 264 -- Workaround broken relocatability of pgtap (otherwise we could | |
| 265 -- put pgtap in its own schema and GRANT USAGE to PUBLIC on it) | |
| 266 RESET SESSION AUTHORIZATION; | |
| 267 GRANT USAGE ON SCHEMA public TO pw_reset; | |
| 268 | |
| 269 SET SESSION AUTHORIZATION test_pw_reset; | |
| 270 | |
| 271 SELECT isnt_empty($$ | |
| 272 SELECT username, email_address FROM pw_reset.list_users | |
| 273 $$, | |
| 274 'Special role can see users with their email addresses'); | |
| 275 | |
| 276 SELECT results_eq($$ | |
| 277 UPDATE pw_reset.list_users | |
| 278 SET pw = 'user_at2!' WHERE username = 'test_user_at' | |
| 279 RETURNING email_address | |
| 280 $$, | |
| 281 $$ | |
| 282 SELECT email_address FROM pw_reset.list_users | |
| 283 WHERE username = 'test_user_at' | |
| 284 $$, | |
| 285 'Special role can update password'); | |
| 286 | |
| 287 SELECT throws_ok($$ | |
| 288 UPDATE pw_reset.list_users | |
| 289 SET username = 'test_rename', email_address = 'test' | |
| 290 $$, | |
| 291 42501, NULL, | |
| 292 'Special role cannot update arbitrary user attributes'); |