Mercurial > gemma
diff schema/manage_users_tests.sql @ 319:ac760b0f22a9
Add special role for password reset
As password reset is exposed without requiring a login, let this role
have privileges limited to reseting passwords, and only reseting passwords.
author | Tom Gottfried <tom@intevation.de> |
---|---|
date | Thu, 02 Aug 2018 13:06:39 +0200 |
parents | 750a9c9cd965 |
children | 363983d5c567 |
line wrap: on
line diff
--- a/schema/manage_users_tests.sql Thu Aug 02 12:48:59 2018 +0200 +++ b/schema/manage_users_tests.sql Thu Aug 02 13:06:39 2018 +0200 @@ -255,3 +255,38 @@ $$, 55006, NULL, 'Current user cannot be deleted'); + + +-- +-- Password reset +-- + +-- Workaround broken relocatability of pgtap (otherwise we could +-- put pgtap in its own schema and GRANT USAGE to PUBLIC on it) +RESET SESSION AUTHORIZATION; +GRANT USAGE ON SCHEMA public TO pw_reset; + +SET SESSION AUTHORIZATION test_pw_reset; + +SELECT isnt_empty($$ + SELECT username, email_address FROM pw_reset.list_users + $$, + 'Special role can see users with their email addresses'); + +SELECT results_eq($$ + UPDATE pw_reset.list_users + SET pw = 'user_at2!' WHERE username = 'test_user_at' + RETURNING email_address + $$, + $$ + SELECT email_address FROM pw_reset.list_users + WHERE username = 'test_user_at' + $$, + 'Special role can update password'); + +SELECT throws_ok($$ + UPDATE pw_reset.list_users + SET username = 'test_rename', email_address = 'test' + $$, + 42501, NULL, + 'Special role cannot update arbitrary user attributes');