@@ -232,6 +232,66 @@ def test_user_profile(self):
232232 self .assertEqual (user .profile .affiliation , 'Test University' )
233233
234234
235+ class TestRegenerateAPIToken (TestCase ):
236+ """Tests for the RegenerateAPITokenView."""
237+
238+ def setUp (self ):
239+ self .admin = User .objects .create_superuser (username = 'admin' , password = 'admin' , email = 'admin@example.com' )
240+ self .user = User .objects .create_user (username = 'testuser' , password = 'testpass' , email = 'user@example.com' )
241+ # Tokens are auto-created by the post_save signal in tom_common.signals
242+
243+ def test_regenerate_own_token (self ):
244+ """A logged-in user can regenerate their own API token."""
245+ self .client .force_login (self .user )
246+ old_token_key = self .user .auth_token .key
247+
248+ # token regeneration happens here
249+ response = self .client .post (reverse ('regenerate-api-token' , kwargs = {'pk' : self .user .pk }))
250+
251+ self .user .refresh_from_db ()
252+ new_token_key = self .user .auth_token .key
253+
254+ self .assertNotEqual (old_token_key , new_token_key )
255+ self .assertRedirects (response , reverse ('user-update' , kwargs = {'pk' : self .user .pk }))
256+
257+ def test_non_superuser_cannot_regenerate_other_user_token (self ):
258+ """A non-superuser cannot regenerate another user's token."""
259+ self .client .force_login (self .user )
260+ old_token_key = self .admin .auth_token .key
261+
262+ response = self .client .post (reverse ('regenerate-api-token' , kwargs = {'pk' : self .admin .pk }))
263+
264+ # Should redirect to the requesting user's own update page
265+ self .assertRedirects (response , reverse ('user-update' , kwargs = {'pk' : self .user .pk }))
266+ # Admin's token should be unchanged
267+ self .admin .refresh_from_db ()
268+ self .assertEqual (old_token_key , self .admin .auth_token .key )
269+
270+ def test_superuser_can_regenerate_other_user_token (self ):
271+ """A superuser can regenerate another user's token."""
272+ self .client .force_login (self .admin )
273+ old_token_key = self .user .auth_token .key
274+
275+ response = self .client .post (reverse ('regenerate-api-token' , kwargs = {'pk' : self .user .pk }))
276+
277+ self .user .refresh_from_db ()
278+ new_token_key = self .user .auth_token .key
279+ self .assertNotEqual (old_token_key , new_token_key )
280+ self .assertRedirects (response , reverse ('user-update' , kwargs = {'pk' : self .user .pk }))
281+
282+ def test_get_request_returns_405 (self ):
283+ """GET requests should return 405 Method Not Allowed."""
284+ self .client .force_login (self .user )
285+ response = self .client .get (reverse ('regenerate-api-token' , kwargs = {'pk' : self .user .pk }))
286+ self .assertEqual (response .status_code , HTTPStatus .METHOD_NOT_ALLOWED )
287+
288+ def test_unauthenticated_redirects_to_login (self ):
289+ """Unauthenticated requests should redirect to login."""
290+ response = self .client .post (reverse ('regenerate-api-token' , kwargs = {'pk' : self .user .pk }))
291+ self .assertRedirects (response , reverse ('login' ) + '?next=' +
292+ reverse ('regenerate-api-token' , kwargs = {'pk' : self .user .pk }))
293+
294+
235295class TestAuthScheme (TestCase ):
236296 @override_settings (AUTH_STRATEGY = 'LOCKED' )
237297 def test_user_cannot_access_view (self ):
0 commit comments