Test for user system and comments

2025-10-06 02:08:26 +02:00
parent d96a29ee73
commit 04c2d2b7f5
12 changed files with 501 additions and 29 deletions
--- a/tests/api/admin_dashboard.rs
+++ b/tests/api/admin_dashboard.rs
@@ -40,7 +40,7 @@ async fn subscribers_are_visible_on_the_dashboard(connection_pool: PgPool) {
    app.admin_login().await;

    let response = app.get_admin_dashboard_html().await;
-    assert!(response.contains("No data available"));
+    assert!(response.contains("No subscribers to display"));

    app.create_confirmed_subscriber().await;
    let subscriber = sqlx::query!("SELECT id, email FROM subscriptions")
@@ -53,10 +53,90 @@ async fn subscribers_are_visible_on_the_dashboard(connection_pool: PgPool) {

    app.delete_subscriber(subscriber.id).await;
    let response = app.get_admin_dashboard_html().await;
-    assert!(response.contains("No data available"));
+    assert!(response.contains("No subscribers to display"));
    assert!(!response.contains(&subscriber.email));
 }

+#[sqlx::test]
+async fn posts_are_visible_on_the_dashboard(connection_pool: PgPool) {
+    let app = TestApp::spawn(connection_pool).await;
+    app.admin_login().await;
+
+    let response = app.get_admin_dashboard_html().await;
+    assert!(response.contains("No posts to display"));
+
+    let response = app.post_create_post(&fake_post_body()).await;
+    assert!(
+        response
+            .text()
+            .await
+            .unwrap()
+            .contains("Your new post has been published")
+    );
+
+    let (post_id, post_title) = {
+        let record = sqlx::query!("SELECT post_id, title FROM posts")
+            .fetch_one(&app.connection_pool)
+            .await
+            .unwrap();
+        (record.post_id, record.title)
+    };
+
+    let html = app.get_admin_dashboard_html().await;
+    assert!(html.contains(&post_title));
+
+    app.delete_post(post_id).await;
+    let response = app.get_admin_dashboard_html().await;
+    assert!(response.contains("No posts to display"));
+}
+
+#[sqlx::test]
+async fn comments_are_visible_on_the_dashboard(connection_pool: PgPool) {
+    let app = TestApp::spawn(connection_pool).await;
+    app.admin_login().await;
+
+    let response = app.get_admin_dashboard_html().await;
+    assert!(response.contains("No comments to display"));
+
+    app.post_create_post(&fake_post_body()).await;
+
+    let (post_id, post_title) = {
+        let record = sqlx::query!("SELECT post_id, title FROM posts")
+            .fetch_one(&app.connection_pool)
+            .await
+            .unwrap();
+        (record.post_id, record.title)
+    };
+
+    let author = "author";
+    let content = "comment";
+    let comment_body = serde_json::json!({
+        "author": author,
+        "content": content,
+        "idempotency_key": "key"
+    });
+    app.post_comment(&post_id, &comment_body).await;
+
+    let response = app.get_admin_dashboard_html().await;
+    assert!(response.contains(author));
+    assert!(response.contains(content));
+
+    let html = app.get_admin_dashboard_html().await;
+    assert!(html.contains(&post_title));
+
+    let comment_id = {
+        let record = sqlx::query!("SELECT comment_id FROM comments")
+            .fetch_one(&app.connection_pool)
+            .await
+            .unwrap();
+        record.comment_id
+    };
+
+    app.delete_comment(comment_id).await;
+    let response = app.get_admin_dashboard_html().await;
+    assert!(response.contains("No comments to display"));
+}
+
 #[sqlx::test]
 async fn dashboard_shows_correct_stats(connection_pool: PgPool) {
    let app = TestApp::spawn(connection_pool).await;
--- a/tests/api/helpers.rs
+++ b/tests/api/helpers.rs
@@ -130,6 +130,26 @@ impl TestApp {
        app
    }

+    pub async fn create_user(
+        &self,
+        username: &str,
+        password: &str,
+        admin: bool,
+    ) -> reqwest::Response {
+        let body = serde_json::json!({
+            "username": username,
+            "password": password,
+            "password_check": password,
+            "admin": admin,
+        });
+        self.api_client
+            .post(format!("{}/admin/users", self.address))
+            .form(&body)
+            .send()
+            .await
+            .unwrap()
+    }
+
    pub async fn create_unconfirmed_subscriber(&self) -> ConfirmationLinks {
        let email: String = SafeEmail().fake();
        let body = format!("email={email}");
@@ -166,7 +186,7 @@ impl TestApp {
            .unwrap();
    }

-    pub async fn delete_subscriber(&self, subscriber_id: Uuid) {
+    pub async fn delete_subscriber(&self, subscriber_id: Uuid) -> reqwest::Response {
        self.api_client
            .delete(format!(
                "{}/admin/subscribers/{}",
@@ -174,7 +194,15 @@ impl TestApp {
            ))
            .send()
            .await
-            .expect("Could not delete subscriber");
+            .expect("Could not delete subscriber")
+    }
+
+    pub async fn delete_user(&self, user_id: Uuid) -> reqwest::Response {
+        self.api_client
+            .delete(format!("{}/admin/users/{}", self.address, user_id))
+            .send()
+            .await
+            .expect("Could not delete user")
    }

    pub async fn dispatch_all_pending_emails(&self) {
@@ -371,12 +399,20 @@ impl TestApp {
            .expect("Failed to execute request")
    }

-    pub async fn delete_post(&self, post_id: Uuid) {
+    pub async fn delete_post(&self, post_id: Uuid) -> reqwest::Response {
        self.api_client
            .delete(format!("{}/admin/posts/{}", self.address, post_id))
            .send()
            .await
-            .expect("Could not delete post");
+            .expect("Could not delete post")
+    }
+
+    pub async fn delete_comment(&self, comment_id: Uuid) -> reqwest::Response {
+        self.api_client
+            .delete(format!("{}/admin/comments/{}", self.address, comment_id))
+            .send()
+            .await
+            .expect("Could not delete comment")
    }

    pub async fn post_unsubscribe<Body>(&self, body: &Body) -> reqwest::Response
@@ -418,8 +454,7 @@ pub fn fake_post_body() -> serde_json::Value {
    serde_json::json!({
        "title": "Post title",
        "content": "Post content",
-        "idempotency_key": Uuid::new_v4().to_string(),
-
+        "idempotency_key": Uuid::new_v4().to_string()
    })
 }

--- a/tests/api/main.rs
+++ b/tests/api/main.rs
@@ -10,3 +10,4 @@ mod subscriptions;
 mod subscriptions_confirm;
 mod unsubscribe;
 mod unsubscribe_confirm;
+mod users;
--- a/tests/api/users.rs
+++ b/tests/api/users.rs
@@ -0,0 +1,346 @@
+use crate::helpers::{TestApp, fake_newsletter_body, fake_post_body, when_sending_an_email};
+use sqlx::PgPool;
+use wiremock::ResponseTemplate;
+use zero2prod::authentication::Role;
+
+#[sqlx::test]
+async fn admin_can_create_user(connection_pool: PgPool) {
+    let app = TestApp::spawn(connection_pool).await;
+    app.admin_login().await;
+    let username = "alphonse";
+    let password = "123456789abc";
+    app.create_user(username, password, false).await;
+
+    let record = sqlx::query!("SELECT user_id FROM users WHERE username = $1", username)
+        .fetch_optional(&app.connection_pool)
+        .await
+        .unwrap();
+    assert!(record.is_some());
+
+    let html = app.get_admin_dashboard_html().await;
+    assert!(html.contains(username));
+}
+
+#[sqlx::test]
+async fn admin_can_create_admin_user(connection_pool: PgPool) {
+    let app = TestApp::spawn(connection_pool).await;
+    app.admin_login().await;
+    let username = "alphonse";
+    let password = "123456789abc";
+    app.create_user(username, password, true).await;
+
+    let record = sqlx::query!(
+        r#"
+        SELECT role as "role: Role"
+        FROM users WHERE username = $1
+        "#,
+        username
+    )
+    .fetch_one(&app.connection_pool)
+    .await
+    .unwrap();
+    matches!(record.role, Role::Admin);
+
+    app.logout().await;
+    let login_body = serde_json::json!({
+        "username": username,
+        "password": password
+    });
+    app.post_login(&login_body).await;
+
+    let html = app.get_admin_dashboard_html().await;
+    assert!(html.contains("Administration"));
+}
+
+#[sqlx::test]
+async fn admin_users_can_create_posts(connection_pool: PgPool) {
+    let app = TestApp::spawn(connection_pool).await;
+    app.admin_login().await;
+    let username = "alphonse";
+    let password = "123456789abc";
+    app.create_user(username, password, true).await;
+    app.logout().await;
+    let login_body = serde_json::json!({
+        "username": username,
+        "password": password
+    });
+    app.post_login(&login_body).await;
+    app.create_confirmed_subscriber().await;
+    when_sending_an_email()
+        .respond_with(ResponseTemplate::new(200))
+        .expect(1)
+        .mount(&app.email_server)
+        .await;
+    app.post_create_post(&fake_post_body()).await;
+    app.dispatch_all_pending_emails().await;
+}
+
+#[sqlx::test]
+async fn admin_users_can_send_emails(connection_pool: PgPool) {
+    let app = TestApp::spawn(connection_pool).await;
+    app.admin_login().await;
+    let username = "alphonse";
+    let password = "123456789abc";
+    app.create_user(username, password, true).await;
+    app.logout().await;
+    let login_body = serde_json::json!({
+        "username": username,
+        "password": password
+    });
+    app.post_login(&login_body).await;
+    app.create_confirmed_subscriber().await;
+    when_sending_an_email()
+        .respond_with(ResponseTemplate::new(200))
+        .expect(1)
+        .mount(&app.email_server)
+        .await;
+    app.post_newsletters(&fake_newsletter_body()).await;
+    app.dispatch_all_pending_emails().await;
+}
+
+#[sqlx::test]
+async fn admin_users_can_create_users(connection_pool: PgPool) {
+    let app = TestApp::spawn(connection_pool).await;
+    app.admin_login().await;
+    let username = "alphonse";
+    let password = "123456789abc";
+    app.create_user(username, password, true).await;
+    app.logout().await;
+    let login_body = serde_json::json!({
+        "username": username,
+        "password": password
+    });
+    app.post_login(&login_body).await;
+
+    let username = "other_user";
+    app.create_user(username, password, true).await;
+    let html = app.get_admin_dashboard_html().await;
+    assert!(html.contains(username));
+}
+
+#[sqlx::test]
+async fn admin_users_can_delete_contents(connection_pool: PgPool) {
+    let app = TestApp::spawn(connection_pool).await;
+    app.admin_login().await;
+    let username = "alphonse";
+    let password = "123456789abc";
+    app.create_user(username, password, true).await;
+    app.logout().await;
+    let login_body = serde_json::json!({
+        "username": username,
+        "password": password
+    });
+    app.post_login(&login_body).await;
+
+    app.create_confirmed_subscriber().await;
+    let (subscriber_id, email) = {
+        let record = sqlx::query!("SELECT id, email FROM subscriptions")
+            .fetch_one(&app.connection_pool)
+            .await
+            .unwrap();
+        (record.id, record.email)
+    };
+    let response = app.delete_subscriber(subscriber_id).await;
+    let text = response.text().await.unwrap();
+    assert!(text.contains(&email));
+    assert!(text.contains("has been deleted"));
+
+    app.create_user("other_user", password, true).await;
+    let user_id = {
+        let record = sqlx::query!("SELECT user_id FROM users")
+            .fetch_one(&app.connection_pool)
+            .await
+            .unwrap();
+        record.user_id
+    };
+    let response = app.delete_user(user_id).await;
+    let text = response.text().await.unwrap();
+    assert!(text.contains("The user has been deleted"));
+
+    app.post_create_post(&fake_post_body()).await;
+    let post_id = {
+        let record = sqlx::query!("SELECT post_id FROM posts")
+            .fetch_one(&app.connection_pool)
+            .await
+            .unwrap();
+        record.post_id
+    };
+
+    let comment_body = serde_json::json!({
+        "author": "author",
+        "content": "comment",
+        "idempotency_key": "key",
+    });
+    app.post_comment(&post_id, &comment_body).await;
+    let comment_id = {
+        let record = sqlx::query!("SELECT comment_id FROM comments")
+            .fetch_one(&app.connection_pool)
+            .await
+            .unwrap();
+        record.comment_id
+    };
+    let response = app.delete_comment(comment_id).await;
+    assert!(
+        response
+            .text()
+            .await
+            .unwrap()
+            .contains("The comment has been deleted")
+    );
+
+    let response = app.delete_post(post_id).await;
+    let text = response.text().await.unwrap();
+    assert!(text.contains("The post has been deleted"));
+}
+
+#[sqlx::test]
+async fn admin_functions_are_hidden_for_non_admin_users(connection_pool: PgPool) {
+    let app = TestApp::spawn(connection_pool).await;
+    app.admin_login().await;
+    let username = "alphonse";
+    let password = "123456789abc";
+    app.create_user(username, password, false).await;
+    let record = sqlx::query!(
+        r#"
+        SELECT role as "role: Role"
+        FROM users WHERE username = $1
+        "#,
+        username
+    )
+    .fetch_one(&app.connection_pool)
+    .await
+    .unwrap();
+    matches!(record.role, Role::Writer);
+    app.logout().await;
+    let login_body = serde_json::json!({
+        "username": username,
+        "password": password
+    });
+    let response = app.post_login(&login_body).await;
+    assert!(!response.text().await.unwrap().contains("Administration"));
+}
+
+#[sqlx::test]
+async fn writers_can_publish_posts_and_send_emails(connection_pool: PgPool) {
+    let app = TestApp::spawn(connection_pool).await;
+    app.admin_login().await;
+    let username = "alphonse";
+    let password = "123456789abc";
+    app.create_user(username, password, false).await;
+    app.logout().await;
+    let login_body = serde_json::json!({
+        "username": username,
+        "password": password
+    });
+    app.post_login(&login_body).await;
+
+    app.create_confirmed_subscriber().await;
+    when_sending_an_email()
+        .respond_with(ResponseTemplate::new(200))
+        .expect(2)
+        .mount(&app.email_server)
+        .await;
+    app.post_create_post(&fake_post_body()).await;
+    app.post_newsletters(&fake_newsletter_body()).await;
+    app.dispatch_all_pending_emails().await;
+}
+
+#[sqlx::test]
+async fn writers_cannot_perform_admin_functions(connection_pool: PgPool) {
+    let app = TestApp::spawn(connection_pool).await;
+    app.admin_login().await;
+    let username = "alphonse";
+    let password = "123456789abc";
+    app.create_user(username, password, false).await;
+    app.post_create_post(&fake_post_body()).await;
+    let post_id = {
+        let record = sqlx::query!("SELECT post_id FROM posts")
+            .fetch_one(&app.connection_pool)
+            .await
+            .unwrap();
+        record.post_id
+    };
+    app.create_confirmed_subscriber().await;
+    let subscriber_id = {
+        let record = sqlx::query!("SELECT id FROM subscriptions")
+            .fetch_one(&app.connection_pool)
+            .await
+            .unwrap();
+        record.id
+    };
+    let comment_body = serde_json::json!({
+        "author": "author",
+        "content": "comment",
+        "idempotency_key": "key",
+    });
+    app.post_comment(&post_id, &comment_body).await;
+    let comment_id = {
+        let record = sqlx::query!("SELECT comment_id FROM comments")
+            .fetch_one(&app.connection_pool)
+            .await
+            .unwrap();
+        record.comment_id
+    };
+
+    app.logout().await;
+    let login_body = serde_json::json!({
+        "username": username,
+        "password": password
+    });
+    app.post_login(&login_body).await;
+
+    let response = app.delete_subscriber(subscriber_id).await;
+    let html = response.text().await.unwrap();
+    assert!(html.contains("requires administrator privileges"));
+    let record = sqlx::query!("SELECT id FROM subscriptions")
+        .fetch_optional(&app.connection_pool)
+        .await
+        .unwrap();
+    assert!(record.is_some());
+
+    let response = app.delete_comment(comment_id).await;
+    let html = response.text().await.unwrap();
+    assert!(html.contains("requires administrator privileges"));
+    let record = sqlx::query!("SELECT comment_id FROM comments")
+        .fetch_optional(&app.connection_pool)
+        .await
+        .unwrap();
+    assert!(record.is_some());
+
+    let response = app.delete_post(post_id).await;
+    let html = response.text().await.unwrap();
+    assert!(html.contains("requires administrator privileges"));
+    let record = sqlx::query!("SELECT post_id FROM posts")
+        .fetch_optional(&app.connection_pool)
+        .await
+        .unwrap();
+    assert!(record.is_some());
+
+    let user_id = {
+        let record = sqlx::query!("SELECT user_id FROM users")
+            .fetch_one(&app.connection_pool)
+            .await
+            .unwrap();
+        record.user_id
+    };
+    let response = app.delete_user(user_id).await;
+    let html = response.text().await.unwrap();
+    assert!(html.contains("requires administrator privileges"));
+
+    let record = sqlx::query_scalar!("SELECT username FROM users WHERE user_id = $1", user_id)
+        .fetch_optional(&app.connection_pool)
+        .await
+        .unwrap();
+    assert!(record.is_some());
+
+    let username = "friend";
+    let password = "123456789abc";
+    let response = app.create_user(username, password, false).await;
+    let html = response.text().await.unwrap();
+    assert!(html.contains("requires administrator privileges"));
+    let record = sqlx::query!("SELECT user_id FROM users WHERE username = $1", username)
+        .fetch_optional(&app.connection_pool)
+        .await
+        .unwrap();
+    assert!(record.is_none());
+}