"""Teste US-006 (PRD 5.12): editarea unui rand de preview deschide MODALUL global, nu un rand inline (tr.preview-edit). TDD RED: testele sunt scrise inainte de implementare. Scenarii: 1. GET editare-modal → fragment pentru #detaliu-modal-body (NU tr.preview-edit). 2. POST editeaza cu succes → HX-Trigger-After-Settle: inchideModal + OOB rand+contoare. 3. Buton Anuleaza = inchidere modal, fara cerere catre /_import/.../rand/{i} (R5). 4. Scoping 404 cross-account. 5. Guard committed → 409. 6. INVARIANT CRITIC (R2): tabela submissions NEATINSA dupa editare preview. """ from __future__ import annotations import io import os import re import tempfile import pytest from fastapi.testclient import TestClient # --------------------------------------------------------------------------- # # Fixtures # # --------------------------------------------------------------------------- # @pytest.fixture() def client(monkeypatch): """Client fara autentificare web obligatorie (conte 1 implicit).""" tmp = tempfile.mkdtemp() monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "pe.db")) monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "false") from app.config import get_settings get_settings.cache_clear() from app.crypto import reset_cache reset_cache() from app.main import app with TestClient(app) as c: yield c get_settings.cache_clear() reset_cache() @pytest.fixture() def client_auth(monkeypatch): """Client cu autentificare web obligatorie (pentru teste de scoping cross-account).""" tmp = tempfile.mkdtemp() monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "pe_auth.db")) monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "true") from app.config import get_settings get_settings.cache_clear() from app.crypto import reset_cache reset_cache() from app.web import ratelimit ratelimit._hits.clear() from app.main import app with TestClient(app, follow_redirects=False) as c: yield c ratelimit._hits.clear() get_settings.cache_clear() reset_cache() # --------------------------------------------------------------------------- # # Helpere # # --------------------------------------------------------------------------- # def _seed_op1(account_id: int = 1) -> None: """Semeaza nomenclator + mapare OP-1 → R-FRANE (auto_send=1).""" from app.db import get_connection conn = get_connection() try: conn.execute( "INSERT OR REPLACE INTO nomenclator_rar (cod_prestatie, nume_prestatie) " "VALUES ('R-FRANE','Reparatie frane')" ) conn.execute( "INSERT OR IGNORE INTO operations_mapping (account_id, cod_op_service, cod_prestatie, auto_send) " "VALUES (?, 'OP-1', 'R-FRANE', 1)", (account_id,), ) conn.commit() finally: conn.close() def _csv_bytes(rows: list[dict], sep: str = ";") -> bytes: import csv as _csv buf = io.StringIO() writer = _csv.DictWriter(buf, fieldnames=list(rows[0].keys()), delimiter=sep) writer.writeheader() writer.writerows(rows) return buf.getvalue().encode("utf-8") _SAMPLE_ROWS = [ { "VIN": "WVWZZZ1KZAW000123", "Nr": "B001TST", "Data": "2026-06-10", "KM": "123456", "Operatie": "OP-1", }, { "VIN": "WVWZZZ1KZAW000456", "Nr": "B002TST", "Data": "2026-06-11", "KM": "200000", "Operatie": "OP-1", }, ] _MAP_COLS = { "VIN": "vin", "Nr": "nr_inmatriculare", "Data": "data_prestatie", "KM": "odometru_final", "Operatie": "operatie", } def _get_csrf(client: TestClient) -> str: """Obtine CSRF token din sesiunea curenta prin GET pe pagina principala.""" r = client.get("/") m = re.search(r'name="csrf_token"\s+value="([^"]+)"', r.text) or \ re.search(r'value="([^"]+)"\s+name="csrf_token"', r.text) return m.group(1) if m else "" def _upload_and_preview(client: TestClient, rows: list[dict] | None = None) -> int: """Upload CSV + salveaza mapare coloane → preview. Intoarce import_id. Obtine CSRF inainte de fiecare POST (necesar cand AUTOPASS_WEB_AUTH_REQUIRED=true). """ rows = rows or _SAMPLE_ROWS csv_data = _csv_bytes(rows) csrf = _get_csrf(client) r = client.post( "/_import/upload", files={"file": ("test.csv", io.BytesIO(csv_data), "text/csv")}, data={"csrf_token": csrf}, ) assert r.status_code == 200, r.text m = re.search(r"/_import/(\d+)/mapare-coloane", r.text) assert m, f"import_id negasit in raspuns: {r.text[:300]}" iid = int(m.group(1)) colnames = list(rows[0].keys()) canons = [_MAP_COLS[c] for c in colnames] csrf2 = _get_csrf(client) r2 = client.post(f"/_import/{iid}/mapare-coloane", data={ "colname": colnames, "canon": canons, "format_data": "YYYY-MM-DD", "csrf_token": csrf2, }) assert r2.status_code == 200, r2.text return iid def _login(client: TestClient, email: str, password: str = "parola123secure") -> None: """Login in sesiune web.""" resp = client.get("/login") m = re.search(r'name="csrf_token"\s+value="([^"]+)"', resp.text) or \ re.search(r'value="([^"]+)"\s+name="csrf_token"', resp.text) assert m, "csrf_token negasit in pagina login" resp = client.post("/login", data={ "email": email, "parola": password, "csrf_token": m.group(1), }) assert resp.status_code == 303, f"Login esuat: {resp.status_code}" def _create_user(email: str, password: str = "parola123secure") -> int: """Creeaza cont + user. Intoarce account_id.""" from app.db import get_connection from app.accounts import create_account from app.users import create_user conn = get_connection() try: acct = create_account(conn, "TestFirma", active=True) create_user(conn, acct, email, password) return acct finally: conn.close() def _count_submissions() -> int: from app.db import get_connection conn = get_connection() try: return conn.execute("SELECT COUNT(*) FROM submissions").fetchone()[0] finally: conn.close() # --------------------------------------------------------------------------- # # Teste # # --------------------------------------------------------------------------- # def test_editeaza_preview_serveste_fragment_modal(client): """GET /_import/{id}/rand/0/editare-modal randeaza fragment pentru modal, NU tr.preview-edit (randul inline). Verifica: - Raspuns 200 - Contine formular cu hx-post catre /editeaza - Contine campurile de editare (data_prestatie, vin, etc.) - NU contine clasa 'preview-edit' (randul inline eliminat) - Contine id="detaliu-modal-titlu" (heading pentru aria-labelledby) """ _seed_op1() iid = _upload_and_preview(client) r = client.get(f"/_import/{iid}/rand/0/editare-modal") assert r.status_code == 200, r.text html = r.text # Formular cu actiune POST catre editeaza assert f'hx-post="/_import/{iid}/rand/0/editeaza"' in html, \ "Fragmentul modal trebuie sa aiba form cu hx-post catre editeaza" # Campurile de editare prezente assert 'name="data_prestatie"' in html, "Camp data_prestatie lipsa" assert 'name="vin"' in html, "Camp vin lipsa" assert 'name="nr_inmatriculare"' in html, "Camp nr_inmatriculare lipsa" # NU randul inline de tip preview-edit assert "preview-edit" not in html, \ "Clasa 'preview-edit' (randul inline) nu trebuie sa existe in fragmentul modal" # Heading pentru aria-labelledby al modalului assert 'id="detaliu-modal-titlu"' in html, \ "Fragmentul modal trebuie sa aiba id='detaliu-modal-titlu'" # Nu contine #confirm-form (inputurile nu sunt legate de formularul de confirmare) assert 'id="confirm-form"' not in html, \ "Fragmentul modal nu trebuie sa contina confirm-form" def test_salvare_preview_inchide_modal_si_oob_rand(client): """POST /_import/{id}/rand/0/editeaza cu date valide → HX-Trigger-After-Settle: inchideModal + OOB pe rand (#preview-row-0) si contoare (#preview-rezumat). Verifica: - Status 200 - Header HX-Trigger-After-Settle contine 'inchideModal' - Raspuns contine OOB pentru randul actualizat (hx-swap-oob prezent) - Raspuns contine OOB pentru rezumat (#preview-rezumat) - NU re-randeaza intreaga sectiune (#import-section absent) """ _seed_op1() iid = _upload_and_preview(client) r = client.post(f"/_import/{iid}/rand/0/editeaza", data={ "data_prestatie": "2026-06-15", }) assert r.status_code == 200, r.text html = r.text # Header de inchidere modal trigger = r.headers.get("HX-Trigger-After-Settle", "") assert "inchideModal" in trigger, \ f"Header HX-Trigger-After-Settle trebuie sa contina 'inchideModal', gasit: '{trigger}'" # OOB pe randul actualizat assert 'id="preview-row-0"' in html, \ "Raspunsul trebuie sa contina randul actualizat (#preview-row-0)" assert "hx-swap-oob" in html, \ "Raspunsul trebuie sa contina OOB swap" # OOB pe rezumatul stari assert 'id="preview-rezumat"' in html, \ "Raspunsul trebuie sa contina OOB pe #preview-rezumat" # NU re-randeaza intreaga sectiune de import assert 'id="import-section"' not in html, \ "Editarea randului NU trebuie sa re-randeze intreaga sectiune #import-section" def test_anuleaza_nu_lasa_rand_orfan(client): """Butonul Anuleaza din fragmentul modal inchide modalul fara cerere catre server. Reproduce eroarea htmx 'TypeError: Cannot read properties of null (reading htmx-internal-data)' (R5) — generata de ramura editing inline care facea un GET pe /_import/.../rand/{i} la Anuleaza, iar dupa stergerea randului din DOM, htmx nu mai gasea tinta. Verifica la nivel de markup: butonul Anuleaza NU are hx-get catre rand. """ _seed_op1() iid = _upload_and_preview(client) r = client.get(f"/_import/{iid}/rand/0/editare-modal") assert r.status_code == 200 html = r.text # Butonul Anuleaza nu trebuie sa aiba hx-get catre ruta randului # (eroarea htmx aparea exact din aceasta cerere) # Cauta pattern-ul care ar produce eroarea: hx-get catre rand display (fara sufix) assert f'hx-get="/_import/{iid}/rand/0"' not in html, \ "Butonul Anuleaza NU trebuie sa faca GET pe /_import/.../rand/0 (produce eroare htmx)" # Fragmentul modal trebuie sa aiba un mecanism de inchidere fara request # (data-modal-close sau onclick cu window.inchideDetaliu) has_modal_close = "data-modal-close" in html or "inchideDetaliu" in html assert has_modal_close, \ "Butonul Anuleaza trebuie sa inchida modalul local (data-modal-close sau inchideDetaliu)" def test_editare_preview_scoped_404_alt_cont(client_auth): """GET si POST editare-modal pe un rand al altui cont → 404 (scoping JOIN). Nu confirmam existenta rand-ului cross-account (acelasi mesaj ca inexistent). """ from app.db import get_connection from app.accounts import create_account from app.users import create_user # Creeaza doua conturi conn = get_connection() try: acct1 = create_account(conn, "Firma A", active=True) create_user(conn, acct1, "user_a@test.com", "parola123secure") acct2 = create_account(conn, "Firma B", active=True) create_user(conn, acct2, "user_b@test.com", "parola123secure") finally: conn.close() # Seed nomenclator pentru ambele conturi (global) _seed_op1(acct1) # Login ca user A si creeaza batch _login(client_auth, "user_a@test.com") iid = _upload_and_preview(client_auth) # Login ca user B si incearca sa acceseze batch-ul lui A _login(client_auth, "user_b@test.com") r_get = client_auth.get(f"/_import/{iid}/rand/0/editare-modal") assert r_get.status_code == 404, \ f"GET editare-modal cross-account trebuie sa returneze 404, got {r_get.status_code}" r_post = client_auth.post(f"/_import/{iid}/rand/0/editeaza", data={ "data_prestatie": "2026-06-20", "csrf_token": "dummy", }) assert r_post.status_code in (403, 404), \ f"POST editeaza cross-account trebuie sa returneze 403/404, got {r_post.status_code}" def test_editare_batch_committed_409(client): """POST editeaza pe un batch deja comis → 409. Guard committed: batch trimis ireversibil nu mai poate fi editat (editarea nu mai are efect downstream). """ from app.db import get_connection _seed_op1() iid = _upload_and_preview(client) # Marcheaza batch ca committed conn = get_connection() try: conn.execute("UPDATE import_batches SET status='committed' WHERE id=?", (iid,)) conn.commit() finally: conn.close() r = client.post(f"/_import/{iid}/rand/0/editeaza", data={ "data_prestatie": "2026-06-20", }) assert r.status_code == 409, \ f"Editare pe batch committed trebuie sa returneze 409, got {r.status_code}" def test_submissions_neatins_dupa_editare_preview(client): """INVARIANT CRITIC (R2): dupa editarea unui rand de preview, tabela submissions ramane NEATINSA. Editarea preview = override-only pe import_rows.override_json. NU re-queue, NU insereaza, NU modifica submissions. """ _seed_op1() iid = _upload_and_preview(client) # Numara submissions inainte de editare n_before = _count_submissions() # Editeaza randul 0 r = client.post(f"/_import/{iid}/rand/0/editeaza", data={ "data_prestatie": "2026-06-15", }) assert r.status_code == 200, r.text # Verifica ca submissions nu a fost atinsa n_after = _count_submissions() assert n_after == n_before, ( f"Editarea preview a atins tabela submissions! " f"Inainte: {n_before}, dupa: {n_after}. " "Editarea trebuie sa fie override-only (import_rows.override_json), NU re-queue." ) def test_eroare_validare_modalul_ramane_deschis(client): """POST editeaza cu data invalida → raspuns 200 cu formularul si erorile per-camp. La eroare de validare, modalul ramane deschis cu valorile introduse si mesajele de eroare per-camp. NU emite inchideModal. """ _seed_op1() iid = _upload_and_preview(client) r = client.post(f"/_import/{iid}/rand/0/editeaza", data={ "data_prestatie": "data-invalida", }) assert r.status_code == 200, r.text html = r.text # Formularul trebuie sa fie prezent (modalul ramane deschis) assert f'hx-post="/_import/{iid}/rand/0/editeaza"' in html, \ "La eroare de validare, formularul trebuie sa ramana in modal" # NU emite inchideModal (modalul ramane deschis) trigger = r.headers.get("HX-Trigger-After-Settle", "") assert "inchideModal" not in trigger, \ "La eroare de validare, NU trebuie emis inchideModal" # Valoarea invalida pastrata (pentru corectie usoara) assert "data-invalida" in html, "Valoarea invalida trebuie pastrata in formular" # Mesaj de eroare per-camp assert "data" in html.lower(), "Trebuie sa existe mesaj de eroare legat de data" def test_preview_buton_editeaza_tinteste_detaliu_modal_body(client): """Butonul 'Editeaza' din tabelul de preview tinteste #detaliu-modal-body, nu randul inline (#preview-row-N). Verifica ca in fragmentul preview, butonul de editare are: - hx-target="#detaliu-modal-body" - URL catre endpoint-ul de editare-modal """ _seed_op1() iid = _upload_and_preview(client) r = client.get(f"/_import/{iid}/preview") assert r.status_code == 200, r.text html = r.text # Butonul Editeaza trebuie sa tinteasca detaliu-modal-body assert 'hx-target="#detaliu-modal-body"' in html, \ "Butonul Editeaza trebuie sa aiba hx-target='#detaliu-modal-body'" # URL de editare prezent (editare-modal sau editare care redirecteaza la modal) assert f"/_import/{iid}/rand/0/editare" in html, \ "URL-ul de editare trebuie sa fie prezent in preview" # NU mai exista clasa preview-edit pe randuri (ramura inline eliminata) assert 'class="preview-edit"' not in html, \ "Clasa 'preview-edit' (randul inline) nu trebuie sa fie in preview dupa US-006" # NU mai exista atribut data-editing="1" pe randuri (mutual-exclusion eliminata) assert 'data-editing="1"' not in html, \ "Atributul data-editing='1' nu trebuie sa fie pe randuri dupa US-006" # --------------------------------------------------------------------------- # # Teste markup Bug 2: btn-editeaza deschide modalul prin open() global (B2) # # --------------------------------------------------------------------------- # def test_btn_editeaza_nu_are_js_inline_open_modal(): """Bug B2 (markup): butonul .btn-editeaza din _preview_rand.html NU trebuie sa mai deschida modalul cu JS inline (removeAttribute('hidden')). Deschiderea trebuie sa treaca prin open(triggerRow) din base.html, altfel
nu primeste inert/aria-hidden si focus-trap-ul nu e instalat. """ import pathlib template = ( pathlib.Path(__file__).parent.parent / "app/web/templates/_preview_rand.html" ) html = template.read_text(encoding="utf-8") # Gasim sectiunea butonului .btn-editeaza idx = html.find("btn-editeaza") assert idx >= 0, "Butonul .btn-editeaza nu a fost gasit in template" btn_section = html[idx:] # NU trebuie sa existe inline JS care face removeAttribute('hidden') pe modal assert "removeAttribute('hidden')" not in btn_section, ( "Butonul .btn-editeaza NU trebuie sa mai aiba JS inline care face " "removeAttribute('hidden') — deschiderea trebuie sa treaca prin " "open(triggerRow) din base.html pentru focus-trap + inert pe
." ) # NU trebuie sa existe hx-on:htmx:before-request inline pe btn-editeaza # (mecanismul de deschidere trebuie sa fie in handler-ul global din base.html) assert "hx-on:htmx:before-request" not in btn_section.split("")[0] \ and "hx-on::before-request" not in btn_section.split("")[0], ( "Butonul .btn-editeaza NU trebuie sa aiba hx-on:htmx:before-request inline. " "Deschiderea modalului trebuie sa fie in handler-ul global din base.html." ) def test_base_html_deschide_modal_pentru_btn_editeaza(): """Bug B2 (markup): handler-ul htmx:beforeRequest din base.html trebuie sa apeleze open() si pentru butonul .btn-editeaza (nu doar pentru .trimitere-row). Fara aceasta generalizare,
nu primeste inert/aria-hidden, focus-trap-ul nu e instalat si focusul nu e readus pe buton la inchidere (US-006). """ import pathlib base = ( pathlib.Path(__file__).parent.parent / "app/web/templates/base.html" ) html = base.read_text(encoding="utf-8") # Handler-ul htmx:beforeRequest trebuie sa tina cont de btn-editeaza # SAU de hx-target="#detaliu-modal-body" (oricare din cele doua abordari e OK) handler_idx = html.find("htmx:beforeRequest") assert handler_idx >= 0, "Handler-ul htmx:beforeRequest nu a fost gasit in base.html" # Cauta in zona handler-ului (urmatoarele 500 de caractere) handler_zone = html[handler_idx:handler_idx + 500] handles_btn_editeaza = ( "btn-editeaza" in handler_zone or 'detaliu-modal-body' in handler_zone or "editare-modal" in handler_zone ) assert handles_btn_editeaza, ( "Handler-ul htmx:beforeRequest din base.html trebuie sa trateze si butonul " ".btn-editeaza (sau sa verifice hx-target='#detaliu-modal-body') pentru a " "apela open() si instala focus-trap-ul (US-006)." )