Mercurial > gemma

diff schema/manage_users_tests.sql @ 319:ac760b0f22a9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add special role for password reset As password reset is exposed without requiring a login, let this role have privileges limited to reseting passwords, and only reseting passwords.
author Tom Gottfried <tom@intevation.de>
date Thu, 02 Aug 2018 13:06:39 +0200
parents 750a9c9cd965
children 363983d5c567
line wrap: on
line diff
--- a/schema/manage_users_tests.sql	Thu Aug 02 12:48:59 2018 +0200
+++ b/schema/manage_users_tests.sql	Thu Aug 02 13:06:39 2018 +0200
@@ -255,3 +255,38 @@
     $$,
     55006, NULL,
     'Current user cannot be deleted');
+
+
+--
+-- Password reset
+--
+
+-- Workaround broken relocatability of pgtap (otherwise we could
+-- put pgtap in its own schema and GRANT USAGE to PUBLIC on it)
+RESET SESSION AUTHORIZATION;
+GRANT USAGE ON SCHEMA public TO pw_reset;
+
+SET SESSION AUTHORIZATION test_pw_reset;
+
+SELECT isnt_empty($$
+    SELECT username, email_address FROM pw_reset.list_users
+    $$,
+    'Special role can see users with their email addresses');
+
+SELECT results_eq($$
+    UPDATE pw_reset.list_users
+        SET pw = 'user_at2!' WHERE username = 'test_user_at'
+        RETURNING email_address
+    $$,
+    $$
+    SELECT email_address FROM pw_reset.list_users
+        WHERE username = 'test_user_at'
+    $$,
+    'Special role can update password');
+
+SELECT throws_ok($$
+    UPDATE pw_reset.list_users
+        SET username = 'test_rename', email_address = 'test'
+    $$,
+    42501, NULL,
+    'Special role cannot update arbitrary user attributes');