Disallow a user from banning themselves.

Closes tildes-community/tildes-cf#9 See merge request tildes-community/tildes-cf!12
2026-04-16 06:18:34 +02:00 · 2025-01-31 19:30:02 +00:00
parent 34a6e126d1
commit c2369bdfe4
3 changed files with 54 additions and 1 deletions
--- a/tildes/tests/conftest.py
+++ b/tildes/tests/conftest.py
@@ -15,8 +15,9 @@ from testing.redis import RedisServer
 from webtest import TestApp

 from scripts.initialize_db import create_tables
+from tildes.enums import UserPermission
 from tildes.models.group import Group
-from tildes.models.user import User
+from tildes.models.user import User, UserPermissions


 # include the fixtures defined in fixtures.py
@@ -172,6 +173,25 @@ def session_user2(sdb):
    yield user


+@fixture(scope="session", autouse=True)
+def session_admin_user(sdb):
+    """Create a third user named 'AdminUser' in the db for test session.
+
+    This user is granted all available user permissions.
+    """
+    user = User("AdminUser", "admin user password")
+    for permission in UserPermission:
+        user_permission = UserPermissions()
+        user_permission.user = user
+        user_permission.permission = permission
+        sdb.add(user_permission)
+
+    sdb.add(user)
+    sdb.commit()
+
+    yield user
+
+
@fixture(scope="session", autouse=True)
 def session_group(sdb):
    """Create a group named 'sessiongroup' in the db for test session."""
@@ -220,6 +240,20 @@ def webtest(base_app):
    yield app


+@fixture(scope="session")
+def webtest_admin(base_app):
+    """Create a webtest TestApp and log in as the AdminUser account in it."""
+    app = TestApp(base_app, extra_environ=WEBTEST_EXTRA_ENVIRON)
+
+    # fetch the login page, fill in the form, and submit it (sets the cookie)
+    login_page = app.get("/login")
+    login_page.form["username"] = "AdminUser"
+    login_page.form["password"] = "admin user password"
+    login_page.form.submit()
+
+    yield app
+
+
@fixture(scope="function")
 def webtest_loggedout(base_app):
    """Create a logged-out webtest TestApp (function scope, so no state is retained)."""
--- a/tildes/tests/webtests/test_admin_user.py
+++ b/tildes/tests/webtests/test_admin_user.py
@@ -0,0 +1,18 @@
+# Copyright (c) 2025 Tildes contributors <code@tildes.net>
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+
+def test_ban_button_hidden_from_self(webtest_admin):
+    """Test that the Ban button is hidden on a user's own profile."""
+    profile = webtest_admin.get("/user/AdminUser")
+    assert profile.status_int == 200
+    assert profile.text.count("Ban user") == 0
+    assert profile.text.count("Unban user") == 0
+
+
+def test_ban_button_shown_for_other_user(webtest_admin):
+    """Test that the Ban button is shown on a different user's profile."""
+    profile = webtest_admin.get("/user/SessionUser")
+    assert profile.status_int == 200
+    assert profile.text.count("Ban user") > 0
+    assert profile.text.count("Unban user") == 0
--- a/tildes/tildes/models/user/user.py
+++ b/tildes/tildes/models/user/user.py
@@ -213,6 +213,7 @@ class User(DatabaseModel):
        if self.is_deleted:
            acl.append((Deny, Everyone, "ban"))

+        acl.append((Deny, self.user_id, "ban"))
        acl.append((Allow, "*:user.ban", "ban"))

        # view_removed_posts: