Add some more route tests

tests/routes.py

@@ -15,8 +15,8 @@ class TestRoutes:
     def teardown_method(self, _):
         c.db.close()
 
-    def mk_user(self, name="gdritter", password="foo") -> m.User:
-        return m.User.from_request(r.User(name=name, password=password,))
+    def mk_user(self, username="gdritter", password="foo") -> m.User:
+        return m.User.from_request(r.User(name=username, password=password,))
 
     def test_index(self):
         result = self.app.get("/")
@@ -25,8 +25,8 @@ class TestRoutes:
     def test_successful_api_login(self):
         username = "gdritter"
         password = "bar"
-        u = self.mk_user(password=password)
-        result = self.app.post("/auth", json={"name": username, "password": password,})
+        u = self.mk_user(username=username, password=password)
+        result = self.app.post("/auth", json={"name": username, "password": password})
         assert result.status == "200 OK"
         decoded_token = c.serializer.loads(result.json["token"])
         assert decoded_token["name"] == username
@@ -35,6 +35,73 @@ class TestRoutes:
     def test_failed_api_login(self):
         username = "gdritter"
         password = "bar"
+        u = self.mk_user(username=username, password=password)
+        result = self.app.post("/auth", json={"name": username, "password": "foo"})
+        assert result.status == "403 FORBIDDEN"
+
+    def test_successful_web_login(self):
+        username = "gdritter"
+        password = "bar"
+        u = self.mk_user(username=username, password=password)
+        result = self.app.post(
+            "/auth",
+            data={"username": username, "password": password},
+            follow_redirects=True,
+        )
+        assert result.status == "200 OK"
+
+    def test_failed_web_login(self):
+        username = "gdritter"
+        password = "bar"
+        u = self.mk_user(username=username, password=password)
+        result = self.app.post("/auth", data={"username": username, "password": "foo"})
+        assert result.status == "403 FORBIDDEN"
+
+    def test_successful_api_add_link(self):
+        password = "foo"
         u = self.mk_user(password=password)
-        result = self.app.post("/auth", json={"name": username, "password": "foo",})
+        result = self.app.post("/auth", json={"name": u.name, "password": password})
+        assert result.status == "200 OK"
+        token = result.json["token"]
+        result = self.app.post(
+            f"/u/{u.name}/l",
+            json={
+                "url": "http://example.com/",
+                "name": "Example Dot Com",
+                "description": "Some Description",
+                "private": False,
+                "tags": ["website"],
+            },
+            headers={"Authorization": f"Bearer {token}"},
+        )
+        assert result.status == "200 OK"
+        assert result.json["url"] == "http://example.com/"
+
+    def test_no_permissions_api_add_link(self):
+        # create a user who owns a link collection
+        owner = self.mk_user()
+        password = "foo"
+
+        # and another user who should not be able to post to it
+        interloper = self.mk_user(username="interloper", password=password)
+
+        # authenticate as interloper
+        result = self.app.post(
+            "/auth", json={"name": interloper.name, "password": password}
+        )
+        assert result.status == "200 OK"
+        token = result.json["token"]
+
+        # try to add a link to owner's collection
+        result = self.app.post(
+            f"/u/{owner.name}/l",
+            json={
+                "url": "http://example.com/",
+                "name": "Example Dot Com",
+                "description": "Some Description",
+                "private": False,
+                "tags": ["website"],
+            },
+            headers={"Authorization": f"Bearer {token}"},
+        )
         assert result.status == "403 FORBIDDEN"