from django.test import TestCase from rest_framework import status from rest_framework.test import APITestCase from django.utils import timezone from .models import CustomUser class AdminOnlyRegistrationEndpointsTests(APITestCase): def setUp(self): self.admin_user = CustomUser.objects.create_superuser( email='admin@example.com', password='adminpass123', ) self.regular_user = CustomUser.objects.create_user( email='user@example.com', password='userpass123', is_active=True, ) def test_register_endpoint_rejects_non_admin(self): self.client.force_authenticate(user=self.regular_user) response = self.client.post( '/api/v1/auth/users/', { 'email': 'new-user@example.com', 'password': 'strong-pass-123', 're_password': 'strong-pass-123', }, format='json', ) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) def test_register_endpoint_allows_admin(self): self.client.force_authenticate(user=self.admin_user) response = self.client.post( '/api/v1/auth/users/', { 'email': 'created-by-admin@example.com', 'password': 'strong-pass-123', 're_password': 'strong-pass-123', }, format='json', ) self.assertEqual(response.status_code, status.HTTP_201_CREATED) def test_activation_endpoint_rejects_non_admin(self): self.client.force_authenticate(user=self.regular_user) response = self.client.post( '/api/v1/auth/users/activation/', {'uid': 'invalid', 'token': 'invalid'}, format='json', ) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) def test_resend_activation_endpoint_rejects_non_admin(self): self.client.force_authenticate(user=self.regular_user) response = self.client.post( '/api/v1/auth/users/resend_activation/', {'email': self.regular_user.email}, format='json', ) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) def test_resend_activation_endpoint_allows_admin_access(self): self.client.force_authenticate(user=self.admin_user) response = self.client.post( '/api/v1/auth/users/resend_activation/', {'email': self.regular_user.email}, format='json', ) self.assertNotEqual(response.status_code, status.HTTP_403_FORBIDDEN) class AccountExpiryTests(TestCase): def test_user_is_deactivated_when_expired(self): user = CustomUser.objects.create_user( email='expired@example.com', password='pass123456', is_active=True, active_until=timezone.now() - timezone.timedelta(days=1), ) changed = user.deactivate_if_expired() user.refresh_from_db() self.assertTrue(changed) self.assertFalse(user.is_active) def test_user_stays_active_before_expiry(self): user = CustomUser.objects.create_user( email='active@example.com', password='pass123456', is_active=True, active_until=timezone.now() + timezone.timedelta(days=3), ) changed = user.deactivate_if_expired() user.refresh_from_db() self.assertFalse(changed) self.assertTrue(user.is_active)