discoman/python-tdd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0f60c73f3bfee104bb5c939a0c98c5fbb9413685
python-tdd/src/apps/dashboard/tests/integrated/test_wallet_views.py
Disco DeDisco 0f60c73f3b
All checks were successful
ci/woodpecker/push/pyswiss Pipeline was successful
Details
ci/woodpecker/push/main Pipeline was successful
Details
fix: Token.PASS is now model-enforced as staff-only — Token.clean/save raise ValidationError when a non-staff user is the FK target. Staging bug 2026-05-21 — admin awarded a PASS to a non-admin via Django admin; row was created + showed in the user's wallet, but every game-side surface (gameboard, game-kit, gate-pad select_token, _select_my_sea_token) had always filtered PASS behind is_staff, so the token was unequippable + unusable. Five is_staff-gated PASS surfaces made PASS a deliberate staff-only trinket; the wallet was the lone outlier surfacing it. Bundled: wallet view (+ HTMX toggle partial) now gates pass_token behind is_staff mirroring the gameboard pattern — defense-in-depth in case any future bypass writes a stray row. TDD — new ITs: PassTokenStaffOnlyGuardTest (model raises for non-staff, accepts for staff, leaves other token types unaffected); WalletPassTokenVisibilityTest (3 cases pin wallet + HTMX gating); TokenAdminFormTest.test_pass_token_for_non_staff_user_is_invalid + test_pass_token_for_staff_user_is_valid. Adjusted 2 existing tests that incidentally exercised the now-blocked pattern (test_paid_draw_with_pass_does_not_consume, test_pass_token_is_not_consumed — both flip is_staff = True inline before Token.objects.create); dropped PASS from test_other_token_types_do_not_require_expires_at's loop (covered by the new dedicated tests). 1133 IT/UT green. A non-admin "boost-pass" variant lands as a distinct token_type later, NEVER by relaxing the staff gate — captured in [[feedback-pass-token-staff-only]] 
Code architected by Disco DeDisco <discodedisco@outlook.com>
Git commit message Co-Authored-By:
Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 00:35:55 -04:00

173 lines
6.9 KiB
Python
Raw Blame History

import lxml.html
from django.test import TestCase
from apps.applets.models import Applet, UserApplet
from apps.lyric.models import Token, User, Wallet
class WalletViewTest(TestCase):
def setUp(self):
self.user = User.objects.create(email="capman@test.io")
self.client.force_login(self.user)
response = self.client.get("/dashboard/wallet/")
self.parsed = lxml.html.fromstring(response.content)
def test_wallet_page_requires_login(self):
self.client.logout()
response = self.client.get("/dashboard/wallet/")
self.assertRedirects(
response, "/?next=/dashboard/wallet/", fetch_redirect_response=False
)
def test_wallet_page_renders(self):
[el] = self.parsed.cssselect("#id_writs_balance")
self.assertEqual(el.text_content().strip(), "144")
def test_wallet_page_shows_esteem_balance(self):
[el] = self.parsed.cssselect("#id_esteem_balance")
self.assertEqual(el.text_content().strip(), "0")
def test_wallet_page_shows_coin_on_a_string(self):
[_] = self.parsed.cssselect("#id_coin_on_a_string")
def test_wallet_page_shows_free_token(self):
[_] = self.parsed.cssselect("#id_free_token")
def test_wallet_page_shows_payment_methods_section(self):
[_] = self.parsed.cssselect("#id_add_payment_method")
def test_wallet_page_shows_stripe_payment_element(self):
[_] = self.parsed.cssselect("#id_stripe_payment_element")
def test_wallet_page_shows_tithe_token_shop(self):
[_] = self.parsed.cssselect("#id_tithe_token_shop")
def test_tithe_token_shop_shows_bundle(self):
bundles = self.parsed.cssselect("#id_tithe_token_shop .token-bundle")
self.assertGreater(len(bundles), 0)
class WalletPassTokenVisibilityTest(TestCase):
"""PASS is admin-only — the model guard blocks bogus rows from existing
for non-staff users, but defend the wallet surface too so a future
code path that bypasses the model (eg. raw SQL backfill) doesn't
silently leak the trinket into a non-admin's view."""
def test_pass_token_in_context_for_staff(self):
user = User.objects.create(email="staff@test.io", is_staff=True)
self.client.force_login(user)
response = self.client.get("/dashboard/wallet/")
self.assertIsNotNone(response.context["pass_token"])
def test_pass_token_absent_for_non_staff(self):
user = User.objects.create(email="reg@test.io")
self.client.force_login(user)
response = self.client.get("/dashboard/wallet/")
self.assertIsNone(response.context["pass_token"])
def test_pass_token_absent_in_htmx_toggle_partial_for_non_staff(self):
Applet.objects.get_or_create(
slug="wallet-tokens",
defaults={"name": "Wallet Tokens", "grid_cols": 3, "grid_rows": 3, "context": "wallet"},
)
user = User.objects.create(email="reg2@test.io")
self.client.force_login(user)
response = self.client.post(
"/dashboard/wallet/toggle-applets",
{"applets": ["wallet-tokens"]},
HTTP_HX_REQUEST="true",
)
self.assertIsNone(response.context["pass_token"])
class WalletViewAppletContextTest(TestCase):
def setUp(self):
self.user = User.objects.create(email="walletctx@test.io")
Applet.objects.get_or_create(
slug="wallet-balances",
defaults={"name": "Wallet Balances", "grid_cols": 3, "grid_rows": 3, "context": "wallet"},
)
Applet.objects.get_or_create(
slug="wallet-tokens",
defaults={"name": "Wallet Tokens", "grid_cols": 3, "grid_rows": 3, "context": "wallet"},
)
Applet.objects.get_or_create(
slug="wallet-payment",
defaults={"name": "Payment Methods", "grid_cols": 6, "grid_rows": 3, "context": "wallet"},
)
self.client.force_login(self.user)
def test_wallet_view_passes_applets_context(self):
response = self.client.get("/dashboard/wallet/")
slugs = [e["applet"].slug for e in response.context["applets"]]
self.assertIn("wallet-balances", slugs)
self.assertIn("wallet-tokens", slugs)
self.assertIn("wallet-payment", slugs)
def test_wallet_page_renders_applets_container(self):
response = self.client.get("/dashboard/wallet/")
parsed = lxml.html.fromstring(response.content)
[_] = parsed.cssselect("#id_wallet_applets_container")
def test_wallet_page_renders_gear_button(self):
response = self.client.get("/dashboard/wallet/")
parsed = lxml.html.fromstring(response.content)
[_] = parsed.cssselect(".gear-btn")
class ToggleWalletAppletsTest(TestCase):
def setUp(self):
self.user = User.objects.create(email="wallettoggle@test.io")
self.balances = Applet.objects.get_or_create(
slug="wallet-balances",
defaults={"name": "Wallet Balances", "grid_cols": 3, "grid_rows": 3, "context": "wallet"},
)[0]
self.tokens = Applet.objects.get_or_create(
slug="wallet-tokens",
defaults={"name": "Wallet Tokens", "grid_cols": 3, "grid_rows": 3, "context": "wallet"},
)[0]
Applet.objects.get_or_create(
slug="wallet-payment",
defaults={"name": "Payment Methods", "grid_cols": 6, "grid_rows": 3, "context": "wallet"},
)
self.client.force_login(self.user)
def test_toggle_requires_login(self):
self.client.logout()
response = self.client.post("/dashboard/wallet/toggle-applets", {})
self.assertRedirects(
response, "/?next=/dashboard/wallet/toggle-applets",
fetch_redirect_response=False,
)
def test_toggle_redirects_to_wallet(self):
response = self.client.post(
"/dashboard/wallet/toggle-applets", {"applets": ["wallet-balances"]}
)
self.assertRedirects(response, "/dashboard/wallet/", fetch_redirect_response=False)
def test_toggle_hides_unchecked_applet(self):
self.client.post(
"/dashboard/wallet/toggle-applets", {"applets": ["wallet-balances"]}
)
ua = UserApplet.objects.get(user=self.user, applet=self.tokens)
self.assertFalse(ua.visible)
def test_toggle_shows_checked_applet(self):
UserApplet.objects.create(user=self.user, applet=self.balances, visible=False)
self.client.post(
"/dashboard/wallet/toggle-applets", {"applets": ["wallet-balances"]}
)
ua = UserApplet.objects.get(user=self.user, applet=self.balances)
self.assertTrue(ua.visible)
def test_toggle_htmx_returns_container_partial(self):
response = self.client.post(
"/dashboard/wallet/toggle-applets",
{"applets": ["wallet-balances"]},
HTTP_HX_REQUEST="true",
)
self.assertEqual(response.status_code, 200)
self.assertContains(response, "id_wallet_applets_container")
Reference in New Issue View Git Blame Copy Permalink