codeforlife-portal 5.33.5__py2.py3-none-any.whl → 8.9.9__py2.py3-none-any.whl

portal/tests/test_ratelimit.py

@@ -1,20 +1,23 @@
 from __future__ import absolute_import
 
 from datetime import datetime, timedelta
+from unittest.mock import ANY, Mock, patch
 
+import pytest
 import pytz
-import re
-from common.models import Teacher, Student
+from common.mail import campaign_ids
+from common.models import DailyActivity, Student, Teacher
 from common.tests.utils.classes import create_class_directly
 from common.tests.utils.organisation import create_organisation_directly
 from common.tests.utils.student import (
     create_independent_student_directly,
     create_school_student_directly,
+    generate_independent_student_details,
 )
-from common.tests.utils.teacher import signup_teacher_directly
+from common.tests.utils.teacher import generate_details, signup_teacher_directly
 from django.core import mail
 from django.test import Client, TestCase
-from django.urls import reverse
+from django.urls import reverse, reverse_lazy
 
 from portal.helpers.ratelimit import get_ratelimit_count_for_user
 from portal.views.login import has_user_lockout_expired
@@ -27,20 +30,17 @@ class TestRatelimit(TestCase):
     def _teacher_login(self, username, password):
         return self.client.post(
             reverse("teacher_login"),
-            {
-                "auth-username": username,
-                "auth-password": password,
-                "teacher_login_view-current_step": "auth",
-            },
+            {"auth-username": username, "auth-password": password, "teacher_login_view-current_step": "auth"},
         )
 
     def _student_login(self, username, password):
+        return self.client.post(reverse("independent_student_login"), {"username": username, "password": password})
+
+    def _student_school_login(self, access_code, student_name, student_password):
         return self.client.post(
-            reverse("independent_student_login"),
-            {
-                "username": username,
-                "password": password,
-            },
+            reverse("student_login", kwargs={"access_code": access_code}),
+            {"username": student_name, "password": student_password},
+            follow=True,
         )
 
     def _teacher_update_account_bad_request(self) -> None:
@@ -79,23 +79,13 @@ class TestRatelimit(TestCase):
 
     def _reset_password_request(self, email):
         return self.client.post(
-            reverse("teacher_password_reset"),
-            {
-                "email": email,
-                "g-recaptcha-response": "something",
-            },
+            reverse("teacher_password_reset"), {"email": email, "g-recaptcha-response": "something"}
         )
 
     def _reset_password(self, url, new_password):
-        return self.client.post(
-            url,
-            {
-                "new_password1": new_password,
-                "new_password2": new_password,
-            },
-        )
+        return self.client.post(url, {"new_password1": new_password, "new_password2": new_password})
 
-    def _is_user_blocked(self, model: Teacher or Student, username: str) -> bool:
+    def _is_user_blocked(self, model: Teacher or Student, username: str, access_code: str = None) -> bool:
         """
         Checks if a Teacher or a Student object is blocked, by checking if they
         have a blocked_time value, and if so, if it the lockout has expired or not.
@@ -103,20 +93,30 @@ class TestRatelimit(TestCase):
         :param username: The username of the Teacher or Student.
         :return: Whether or not the model object is marked as blocked.
         """
-        user = model.objects.get(new_user__username=username)
+        user = (
+            model.objects.get(new_user__username=username)
+            if not access_code
+            else model.objects.get(new_user__first_name=username, class_field__access_code=access_code)
+        )
         if user.blocked_time:
             return not has_user_lockout_expired(user)
         else:
             return False
 
-    def _block_user(self, model: Teacher or Student, username: str) -> None:
+    def _block_user(self, model: Teacher or Student, username: str, access_code=None) -> None:
         """
         Finds the Teacher or Student corresponding to the username, and sets it as
         blocked and sets the blocked date to now.
         :param model: The model Class to be checked against.
         :param username: The username of the Teacher or Student.
         """
-        user = model.objects.get(new_user__username=username)
+
+        user = (
+            model.objects.get(new_user__username=username)
+            if access_code is None
+            else model.objects.get(new_user__first_name=username, class_field__access_code=access_code)
+        )
+
         user.blocked_time = datetime.now(tz=pytz.utc)
         user.save()
 
@@ -137,6 +137,54 @@ class TestRatelimit(TestCase):
 
         assert self._is_user_blocked(Teacher, email)
 
+    def test_student_login_ratelimit(self):
+        """
+        Given a student,
+        When they perform 6 failed login attempts,
+        Then on the 6th one, the student should be blocked.
+        """
+        teacher_email, teacher_password = signup_teacher_directly()
+        school = create_organisation_directly(teacher_email)
+        klass, klass_name, klass_access_code = create_class_directly(teacher_email)
+        student_name, student_password, student = create_school_student_directly(klass_access_code)
+
+        for i in range(10):
+            response = self._student_school_login(klass_access_code, student_name, "bad_password")
+
+            assert not self._is_user_blocked(Student, student_name, klass_access_code)
+
+        _ = self._student_school_login(klass_access_code, student_name, "bad_password")
+
+        assert self._is_user_blocked(Student, student_name, klass_access_code)
+        student = Student.objects.get(id=student.id)
+        current_student = Student.objects.get(
+            new_user__first_name=student_name, class_field__access_code=klass_access_code
+        )
+
+        # now check if teacher can unlock it, both ways :)
+        url = reverse_lazy("teacher_class_password_reset", kwargs={"access_code": klass_access_code})
+        data = {"transfer_students": [[current_student.id]]}
+        c = Client()
+
+        c.login(username=teacher_email, password=teacher_password)
+        c.post(url, data)
+        assert not self._is_user_blocked(Student, student_name, klass_access_code)
+
+        # now block again and test the edit by student method
+        self._block_user(Student, student_name, klass_access_code)
+        assert self._is_user_blocked(Student, student_name, klass_access_code)
+        url = reverse_lazy("teacher_edit_student", kwargs={"pk": current_student.id})
+        strong_password = "£EDCVFR$5tgbnhy6"
+        data = {"password": strong_password, "confirm_password": strong_password, "set_password": ""}
+
+        c.post(url, data)
+        assert not self._is_user_blocked(Student, student_name, klass_access_code)
+        c.logout()
+        student = Student.objects.get(id=student.id)
+        self._student_school_login(klass_access_code, student_name, "password1")
+        student = Student.objects.get(id=student.id)
+        assert not self._is_user_blocked(Student, student_name, klass_access_code)
+
     def test_independent_student_login_ratelimit(self):
         """
         Given an independent student,
@@ -277,7 +325,8 @@ class TestRatelimit(TestCase):
 
         assert get_ratelimit_count_for_user(email) == 1
 
-    def test_teacher_reset_password_unblocks_user(self):
+    @patch("portal.forms.registration.send_dotdigital_email")
+    def test_teacher_reset_password_unblocks_user(self, mock_send_dotdigital_email: Mock):
         """
         Given a blocked teacher,
         When they reset they password,
@@ -295,17 +344,150 @@ class TestRatelimit(TestCase):
         # Ask for reset password link
         self._reset_password_request(email)
 
-        assert len(mail.outbox) == 1
+        mock_send_dotdigital_email.assert_called_once_with(
+            campaign_ids["reset_password"], ANY, personalization_values=ANY
+        )
 
-        # Get reset link from email
-        message = str(mail.outbox[0].body)
-        url = re.search("http.+/", message).group(0)
+        reset_password_url = mock_send_dotdigital_email.call_args.kwargs["personalization_values"][
+            "RESET_PASSWORD_LINK"
+        ]
 
         new_password = "AnotherPassword12!"
 
-        self._reset_password(url, new_password)
+        self._reset_password(reset_password_url, new_password)
 
         login_response = self._teacher_login(email, new_password)
 
         assert login_response.status_code == 302
         assert not self._is_user_blocked(Teacher, email)
+
+    def test_lockout_reset_tracking(self):
+        old_date = datetime.now() - timedelta(days=1)
+        old_daily_activity = DailyActivity(date=old_date)
+        old_daily_activity.save()
+        teacher_email, teacher_password = signup_teacher_directly()
+        indy_email, indy_password, student = create_independent_student_directly()
+        create_organisation_directly(teacher_email)
+
+        self._block_user(Teacher, teacher_email)
+        self._block_user(Student, indy_email)
+
+        # check teacher response for resetting password
+        url = reverse_lazy("teacher_password_reset")
+        data = {"email": teacher_email}
+
+        c = Client()
+
+        response = c.post(url, data=data)
+        old_daily_activity = DailyActivity.objects.get(date=old_date)
+        current_daily_activity = DailyActivity.objects.get(date=datetime.now())
+
+        assert response.status_code == 200
+        assert old_daily_activity.teacher_lockout_resets == 0
+        assert current_daily_activity.teacher_lockout_resets == 1
+        # now check the indy student
+
+        url = reverse_lazy("student_password_reset")
+        data = {"email": indy_email}
+        c = Client()
+
+        response = c.post(url, data=data)
+        old_daily_activity = DailyActivity.objects.get(date=old_date)
+        current_daily_activity = DailyActivity.objects.get(date=datetime.now())
+
+        assert response.status_code == 200
+        assert old_daily_activity.indy_lockout_resets == 0
+        assert current_daily_activity.indy_lockout_resets == 1
+        # finally check the school student
+
+        # method 1
+        _, _, klass_access_code = create_class_directly(teacher_email)
+        student_name, _, student = create_school_student_directly(klass_access_code)
+
+        self._block_user(Student, student_name, access_code=klass_access_code)
+
+        c = Client()
+        c.login(username=teacher_email, password=teacher_password)
+
+        url = reverse_lazy("teacher_edit_student", kwargs={"pk": student.id})
+        strong_password = "£EDCVFR$5tgb"
+        data = {"password": strong_password, "confirm_password": strong_password, "set_password": ""}
+
+        response = c.post(url, data)
+        old_daily_activity = DailyActivity.objects.get(date=old_date)
+        current_daily_activity = DailyActivity.objects.get(date=datetime.now())
+
+        assert response.status_code == 200
+        assert old_daily_activity.school_student_lockout_resets == 0
+        assert current_daily_activity.school_student_lockout_resets == 1
+
+        # method 2
+        self._block_user(Student, student_name, access_code=klass_access_code)
+        url = reverse_lazy("teacher_class_password_reset", kwargs={"access_code": klass_access_code})
+        data = {"transfer_students": [[student.id]]}
+
+        response = c.post(url, data)
+        old_daily_activity = DailyActivity.objects.get(date=old_date)
+        current_daily_activity = DailyActivity.objects.get(date=datetime.now())
+
+        assert response.status_code == 200
+        assert old_daily_activity.school_student_lockout_resets == 0
+        assert current_daily_activity.school_student_lockout_resets == 2
+
+
+@patch("common.helpers.emails.send_dotdigital_email")
+@pytest.mark.django_db
+def test_teacher_already_registered_email(mock_send_dotdigital_email: Mock, client):
+    first_name, last_name, email, password = generate_details()
+    register_url = reverse("register")
+    data = {
+        "teacher_signup-teacher_first_name": first_name,
+        "teacher_signup-teacher_last_name": last_name,
+        "teacher_signup-teacher_email": email,
+        "teacher_signup-consent_ticked": "on",
+        "teacher_signup-teacher_password": password,
+        "teacher_signup-teacher_confirm_password": password,
+        "g-recaptcha-response": "something",
+    }
+
+    # Register the teacher first time, there should be a registration email
+    client.post(register_url, data)
+    mock_send_dotdigital_email.assert_called_once_with(campaign_ids["verify_new_user"], ANY, personalization_values=ANY)
+
+    # Register with the same email again, there should also be an already registered email
+    client.post(register_url, data)
+    assert len(mail.outbox) == 1
+
+    # Register with the same email one more time, there shouldn't be any new emails
+    client.post(register_url, data)
+    assert len(mail.outbox) == 1
+
+
+@patch("common.helpers.emails.send_dotdigital_email")
+@pytest.mark.django_db
+def test_independent_student_already_registered_email(mock_send_dotdigital_email: Mock, client):
+    name, username, email_address, password = generate_independent_student_details()
+    register_url = reverse("register")
+    data = {
+        "independent_student_signup-date_of_birth_day": 7,
+        "independent_student_signup-date_of_birth_month": 10,
+        "independent_student_signup-date_of_birth_year": 1997,
+        "independent_student_signup-name": name,
+        "independent_student_signup-email": email_address,
+        "independent_student_signup-consent_ticked": "on",
+        "independent_student_signup-password": password,
+        "independent_student_signup-confirm_password": password,
+        "g-recaptcha-response": "something",
+    }
+
+    # Register the independent student first time, there should be a registration email
+    client.post(register_url, data)
+    mock_send_dotdigital_email.assert_called_once_with(campaign_ids["verify_new_user"], ANY, personalization_values=ANY)
+
+    # Register with the same email again, there should also be an already registered email
+    client.post(register_url, data)
+    assert len(mail.outbox) == 1
+
+    # Reset mock and register with the same email one more time, there shouldn't be any new emails
+    client.post(register_url, data)
+    assert len(mail.outbox) == 1

portal/tests/test_school_student.py

@@ -7,10 +7,7 @@ from common.tests.utils.teacher import signup_teacher_directly
 
 from portal.tests.pageObjects.portal.home_page import HomePage
 from .base_test import BaseTest
-from .utils.messages import (
-    is_student_details_updated_message_showing,
-    is_password_updated_message_showing,
-)
+from .utils.messages import is_student_details_updated_message_showing, is_password_updated_message_showing
 
 
 class TestSchoolStudent(BaseTest):
@@ -36,15 +33,10 @@ class TestSchoolStudent(BaseTest):
         student_name, _, _ = create_school_student_directly(access_code)
 
         self.selenium.get(self.live_server_url)
-        page = (
-            HomePage(self.selenium)
-            .go_to_student_login_page()
-            .student_input_access_code_failure("not a class code")
-        )
+        page = HomePage(self.selenium).go_to_student_login_page().student_input_access_code_failure("not a class code")
 
         assert page.has_access_code_input_failed(
-            "form-login-school-class-code",
-            "Uh oh! You didn't input a valid class code.",
+            "form-login-school-class-code", "Uh oh! You didn't input a valid class code."
         )
 
     def test_login_failure(self):
@@ -61,9 +53,7 @@ class TestSchoolStudent(BaseTest):
             .student_login_failure(student_name, "some other password")
         )
 
-        assert page.has_login_failed(
-            "form-login-school", "Invalid name, class access code or password"
-        )
+        assert page.has_login_failed("form-login-school", "Invalid name, class access code or password")
 
     def test_login_nonexistent_class(self):
         email, _ = signup_teacher_directly()
@@ -79,9 +69,7 @@ class TestSchoolStudent(BaseTest):
             .student_login_failure(student_name, student_password)
         )
 
-        assert page.has_login_failed(
-            "form-login-school", "Invalid name, class access code or password"
-        )
+        assert page.has_login_failed("form-login-school", "Invalid name, class access code or password")
 
     def test_login_empty_class(self):
         email, _ = signup_teacher_directly()
@@ -98,9 +86,7 @@ class TestSchoolStudent(BaseTest):
             .student_login_failure(student_name, student_password)
         )
 
-        assert page.has_login_failed(
-            "form-login-school", "Invalid name, class access code or password"
-        )
+        assert page.has_login_failed("form-login-school", "Invalid name, class access code or password")
 
     def test_update_password_current_password_wrong(self):
         email, _ = signup_teacher_directly()
@@ -118,12 +104,10 @@ class TestSchoolStudent(BaseTest):
         assert self.is_dashboard(page)
 
         page = page.go_to_account_page().update_password_failure(
-            "NewPassword", "NewPassword", "WrongPassword"
+            "£EDCVFR$5tgb", "£EDCVFR$5tgb", "Wrong_123$£$3_Password"
         )
         assert self.is_account_page(page)
-        assert page.was_form_invalid(
-            "student_account_form", "Your current password was incorrect"
-        )
+        assert page.was_form_invalid("student_account_form", "Your current password was incorrect")
 
     def test_update_password_passwords_not_match(self):
         email, _ = signup_teacher_directly()
@@ -140,13 +124,9 @@ class TestSchoolStudent(BaseTest):
         )
         assert self.is_dashboard(page)
 
-        page = page.go_to_account_page().update_password_failure(
-            "NewPassword1", "OtherPassword1", student_password
-        )
+        page = page.go_to_account_page().update_password_failure("£EDECVFR$5tgb", "%TGBNHY^&ujm,ki8", student_password)
         assert self.is_account_page(page)
-        assert page.was_form_invalid(
-            "student_account_form", "Your new passwords do not match"
-        )
+        assert page.was_form_invalid("student_account_form", "Your new passwords do not match")
 
     def test_update_password_too_weak(self):
         email, _ = signup_teacher_directly()
@@ -163,16 +143,14 @@ class TestSchoolStudent(BaseTest):
         )
         assert self.is_dashboard(page)
 
-        page = page.go_to_account_page().update_password_failure(
-            "tiny", "tiny", student_password
-        )
+        page = page.go_to_account_page().update_password_failure("tiny", "tiny", student_password)
         assert self.is_account_page(page)
         assert page.was_form_invalid(
             "student_account_form",
             "Password not strong enough, consider using at least 6 characters and making it hard to guess.",
         )
 
-    def test_update_password_success(self):
+    def test_update_password_too_common(self):
         email, _ = signup_teacher_directly()
         create_organisation_directly(email)
         _, _, access_code = create_class_directly(email)
@@ -187,18 +165,35 @@ class TestSchoolStudent(BaseTest):
         )
         assert self.is_dashboard(page)
 
-        new_password = "NewPassword"
+        page = page.go_to_account_page().update_password_failure("Password123$", "Password123$", student_password)
+        assert self.is_account_page(page)
+        assert page.was_form_invalid(
+            "student_account_form", "Password is too common, consider using a different password."
+        )
 
-        page = page.go_to_account_page().update_password_success(
-            new_password, student_password
+    def test_update_password_success(self):
+        email, _ = signup_teacher_directly()
+        create_organisation_directly(email)
+        _, _, access_code = create_class_directly(email)
+        student_name, student_password, _ = create_school_student_directly(access_code)
+
+        self.selenium.get(self.live_server_url)
+        page = (
+            HomePage(self.selenium)
+            .go_to_student_login_page()
+            .student_input_access_code(access_code)
+            .student_login(student_name, student_password)
         )
+        assert self.is_dashboard(page)
+
+        new_password = "£EDCVFR$%TGBhny6"
+
+        page = page.go_to_account_page().update_password_success(new_password, student_password)
         assert is_student_details_updated_message_showing(self.selenium)
         assert is_password_updated_message_showing(self.selenium)
         assert self.is_login_class_code_page(page)
 
-        page = page.student_input_access_code(access_code).student_login(
-            student_name, new_password
-        )
+        page = page.student_input_access_code(access_code).student_login(student_name, new_password)
         assert self.is_dashboard(page)
 
     def is_dashboard(self, page):

portal/tests/test_security.py

@@ -2,13 +2,12 @@ from __future__ import absolute_import
 
 from builtins import str
 
-from django.contrib.auth.models import User
-from django.urls import reverse, reverse_lazy
-from django.test import Client, TestCase
-
 from common.models import School, Student, UserProfile
 from common.tests.utils.classes import create_class_directly
 from common.tests.utils.teacher import signup_teacher_directly
+from django.contrib.auth.models import User
+from django.test import Client, TestCase
+from django.urls import reverse, reverse_lazy
 
 
 class SecurityTestCase(TestCase):
@@ -20,7 +19,7 @@ class SecurityTestCase(TestCase):
         c = Client()
         assert c.login(username=email2, password=pass2)
         page = reverse(view_name, args=[access_code])
-        self.assertNotEqual(c.get(page).status_code, 200)
+        assert not c.get(page).status_code == 200
 
     def _test_incorrect_teacher_no_info_leak(self, view_name):
         email1, _ = signup_teacher_directly()
@@ -33,10 +32,10 @@ class SecurityTestCase(TestCase):
         invalid_page = reverse(view_name, args=[access_code])
         invalid_login_code = c.get(invalid_page).status_code
 
-        non_existant_page = reverse(view_name, args=["AAAAA"])
-        non_existant_code = c.get(non_existant_page).status_code
+        non_existent_page = reverse(view_name, args=["AAAAA"])
+        non_existent_code = c.get(non_existent_page).status_code
 
-        self.assertEqual(non_existant_code, invalid_login_code)
+        assert non_existent_code == invalid_login_code
 
     def test_reminder_cards_info_leak(self):
         """Check that it isn't leaked whether an access code exists."""
@@ -55,20 +54,11 @@ class SecurityTestCase(TestCase):
         stu = Student(user=profile)
         stu.save()
 
-        self.assertEqual(
-            c.get(reverse("teacher_edit_student", kwargs={"pk": "9999"})).status_code,
-            c.get(reverse("teacher_edit_student", kwargs={"pk": stu.pk})).status_code,
+        assert (
+            c.get(reverse("teacher_edit_student", kwargs={"pk": "9999"})).status_code
+            == c.get(reverse("teacher_edit_student", kwargs={"pk": stu.pk})).status_code
         )
 
-    def test_cannot_lookup_schools_if_not_logged_in(self):
-        client = Client()
-
-        url = reverse("organisation_fuzzy_lookup")
-        data = {"fuzzy_name": ["A"]}
-        response = client.get(url, data=data)
-
-        self.assertEqual(403, response.status_code)
-
     def test_cannot_create_school_with_email_as_name(self):
         number_of_existing_schools = len(School.objects.all())
 
@@ -78,16 +68,11 @@ class SecurityTestCase(TestCase):
         client.login(username=email, password=password)
 
         url = reverse("onboarding-organisation")
-        data = {
-            "name": email,
-            "postcode": "TEST",
-            "country": "GB",
-            "create_organisation": "",
-        }
+        data = {"name": email, "postcode": "TEST", "country": "GB", "create_organisation": ""}
 
         client.post(url, data)
 
-        self.assertEqual(number_of_existing_schools, len(School.objects.all()))
+        assert number_of_existing_schools == len(School.objects.all())
 
     def test_reminder_cards_wrong_teacher(self):
         """Try and view reminder cards without being the teacher for that class."""
@@ -97,7 +82,3 @@ class SecurityTestCase(TestCase):
         """Try and view a class page without being the teacher for that class."""
         self._test_incorrect_teacher_cannot_login("onboarding-class")
 
-    def test_anonymous_cannot_access_teaching_materials(self):
-        c = Client()
-        page = reverse_lazy("materials")
-        self.assertNotEqual(str(c.get(page).status_code)[0], 2)