---
test_name: test_users
strict: false
marks:
- usefixtures:
  - django_live_url
stages:
- id: signup
  type: ref

- id: get_my_user
  type: ref

- name: stage
  request:
    method: GET
    url: '{django_live_url}/api/users'
  response:
    status_code: 200

- name: stage
  request:
    method: GET
    url: '{django_live_url}/api/users/{user_pk}'
  response:
    status_code: 200
    save:
      json:
        org_pk: active_organization

- name: stage
  request:
    json:
      email: test_user@heartextest.com
      username: test user
      active_organization: !int '{org_pk}'
    method: POST
    url: '{django_live_url}/api/users'
  response:
    save:
      json:
        new_user_pk: id
    status_code: 201

- name: stage
  request:
    method: GET
    url: '{django_live_url}/api/users/{new_user_pk}'
  response:
    status_code: 200

- name: attempt_update_email_raises_405
  request:
    url: "{django_live_url}/api/users/{new_user_pk}"
    json:
      email: test_user_new_email_change@heartextest.com
    method: PATCH
    headers:
      content-type: application/json
  response:
    status_code: 405

---
test_name: test_users_malicious_redirect
strict: false
marks:
- usefixtures:
  - django_live_url
stages:
  - name: malicious_signup
    request:
      url: "{django_live_url}/user/signup?next=http://malicious.com"
      data:
        email: test_second_org@heartex.com
        password: 12345678
      method: POST
    response:
      status_code: 302
      headers:
        location: "/" # redirect to home page rather than malicious.com

  - name: malicious_login
    request:
      url: "{django_live_url}/user/login?next=http://malicious.com"
      data:
        email: test_second_org@heartex.com
        password: 12345678
      method: POST
    response:
      status_code: 302
      headers:
        location: "/" # redirect to home page rather than malicious.com