"""Teste US-006 (PRD 5.12): editarea unui rand de preview deschide MODALUL global,
nu un rand inline (tr.preview-edit).
TDD RED: testele sunt scrise inainte de implementare.
Scenarii:
1. GET editare-modal → fragment pentru #detaliu-modal-body (NU tr.preview-edit).
2. POST editeaza cu succes → HX-Trigger-After-Settle: inchideModal + OOB rand+contoare.
3. Buton Anuleaza = inchidere modal, fara cerere catre /_import/.../rand/{i} (R5).
4. Scoping 404 cross-account.
5. Guard committed → 409.
6. INVARIANT CRITIC (R2): tabela submissions NEATINSA dupa editare preview.
"""
from __future__ import annotations
import io
import os
import re
import tempfile
import pytest
from fastapi.testclient import TestClient
# --------------------------------------------------------------------------- #
# Fixtures #
# --------------------------------------------------------------------------- #
@pytest.fixture()
def client(monkeypatch):
"""Client fara autentificare web obligatorie (conte 1 implicit)."""
tmp = tempfile.mkdtemp()
monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "pe.db"))
monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "false")
from app.config import get_settings
get_settings.cache_clear()
from app.crypto import reset_cache
reset_cache()
from app.main import app
with TestClient(app) as c:
yield c
get_settings.cache_clear()
reset_cache()
@pytest.fixture()
def client_auth(monkeypatch):
"""Client cu autentificare web obligatorie (pentru teste de scoping cross-account)."""
tmp = tempfile.mkdtemp()
monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "pe_auth.db"))
monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "true")
from app.config import get_settings
get_settings.cache_clear()
from app.crypto import reset_cache
reset_cache()
from app.web import ratelimit
ratelimit._hits.clear()
from app.main import app
with TestClient(app, follow_redirects=False) as c:
yield c
ratelimit._hits.clear()
get_settings.cache_clear()
reset_cache()
# --------------------------------------------------------------------------- #
# Helpere #
# --------------------------------------------------------------------------- #
def _seed_op1(account_id: int = 1) -> None:
"""Semeaza nomenclator + mapare OP-1 → R-FRANE (auto_send=1)."""
from app.db import get_connection
conn = get_connection()
try:
conn.execute(
"INSERT OR REPLACE INTO nomenclator_rar (cod_prestatie, nume_prestatie) "
"VALUES ('R-FRANE','Reparatie frane')"
)
conn.execute(
"INSERT OR IGNORE INTO operations_mapping (account_id, cod_op_service, cod_prestatie, auto_send) "
"VALUES (?, 'OP-1', 'R-FRANE', 1)",
(account_id,),
)
conn.commit()
finally:
conn.close()
def _csv_bytes(rows: list[dict], sep: str = ";") -> bytes:
import csv as _csv
buf = io.StringIO()
writer = _csv.DictWriter(buf, fieldnames=list(rows[0].keys()), delimiter=sep)
writer.writeheader()
writer.writerows(rows)
return buf.getvalue().encode("utf-8")
_SAMPLE_ROWS = [
{
"VIN": "WVWZZZ1KZAW000123",
"Nr": "B001TST",
"Data": "2026-06-10",
"KM": "123456",
"Operatie": "OP-1",
},
{
"VIN": "WVWZZZ1KZAW000456",
"Nr": "B002TST",
"Data": "2026-06-11",
"KM": "200000",
"Operatie": "OP-1",
},
]
_MAP_COLS = {
"VIN": "vin",
"Nr": "nr_inmatriculare",
"Data": "data_prestatie",
"KM": "odometru_final",
"Operatie": "operatie",
}
def _get_csrf(client: TestClient) -> str:
"""Obtine CSRF token din sesiunea curenta prin GET pe pagina principala."""
r = client.get("/")
m = re.search(r'name="csrf_token"\s+value="([^"]+)"', r.text) or \
re.search(r'value="([^"]+)"\s+name="csrf_token"', r.text)
return m.group(1) if m else ""
def _upload_and_preview(client: TestClient, rows: list[dict] | None = None) -> int:
"""Upload CSV + salveaza mapare coloane → preview. Intoarce import_id.
Obtine CSRF inainte de fiecare POST (necesar cand AUTOPASS_WEB_AUTH_REQUIRED=true).
"""
rows = rows or _SAMPLE_ROWS
csv_data = _csv_bytes(rows)
csrf = _get_csrf(client)
r = client.post(
"/_import/upload",
files={"file": ("test.csv", io.BytesIO(csv_data), "text/csv")},
data={"csrf_token": csrf},
)
assert r.status_code == 200, r.text
m = re.search(r"/_import/(\d+)/mapare-coloane", r.text)
assert m, f"import_id negasit in raspuns: {r.text[:300]}"
iid = int(m.group(1))
colnames = list(rows[0].keys())
canons = [_MAP_COLS[c] for c in colnames]
csrf2 = _get_csrf(client)
r2 = client.post(f"/_import/{iid}/mapare-coloane", data={
"colname": colnames,
"canon": canons,
"format_data": "YYYY-MM-DD",
"csrf_token": csrf2,
})
assert r2.status_code == 200, r2.text
return iid
def _login(client: TestClient, email: str, password: str = "parola123secure") -> None:
"""Login in sesiune web."""
resp = client.get("/login")
m = re.search(r'name="csrf_token"\s+value="([^"]+)"', resp.text) or \
re.search(r'value="([^"]+)"\s+name="csrf_token"', resp.text)
assert m, "csrf_token negasit in pagina login"
resp = client.post("/login", data={
"email": email,
"parola": password,
"csrf_token": m.group(1),
})
assert resp.status_code == 303, f"Login esuat: {resp.status_code}"
def _create_user(email: str, password: str = "parola123secure") -> int:
"""Creeaza cont + user. Intoarce account_id."""
from app.db import get_connection
from app.accounts import create_account
from app.users import create_user
conn = get_connection()
try:
acct = create_account(conn, "TestFirma", active=True)
create_user(conn, acct, email, password)
return acct
finally:
conn.close()
def _count_submissions() -> int:
from app.db import get_connection
conn = get_connection()
try:
return conn.execute("SELECT COUNT(*) FROM submissions").fetchone()[0]
finally:
conn.close()
# --------------------------------------------------------------------------- #
# Teste #
# --------------------------------------------------------------------------- #
def test_editeaza_preview_serveste_fragment_modal(client):
"""GET /_import/{id}/rand/0/editare-modal randeaza fragment pentru modal,
NU tr.preview-edit (randul inline).
Verifica:
- Raspuns 200
- Contine formular cu hx-post catre /editeaza
- Contine campurile de editare (data_prestatie, vin, etc.)
- NU contine clasa 'preview-edit' (randul inline eliminat)
- Contine id="detaliu-modal-titlu" (heading pentru aria-labelledby)
"""
_seed_op1()
iid = _upload_and_preview(client)
r = client.get(f"/_import/{iid}/rand/0/editare-modal")
assert r.status_code == 200, r.text
html = r.text
# Formular cu actiune POST catre editeaza
assert f'hx-post="/_import/{iid}/rand/0/editeaza"' in html, \
"Fragmentul modal trebuie sa aiba form cu hx-post catre editeaza"
# Campurile de editare prezente
assert 'name="data_prestatie"' in html, "Camp data_prestatie lipsa"
assert 'name="vin"' in html, "Camp vin lipsa"
assert 'name="nr_inmatriculare"' in html, "Camp nr_inmatriculare lipsa"
# NU randul inline de tip preview-edit
assert "preview-edit" not in html, \
"Clasa 'preview-edit' (randul inline) nu trebuie sa existe in fragmentul modal"
# Heading pentru aria-labelledby al modalului
assert 'id="detaliu-modal-titlu"' in html, \
"Fragmentul modal trebuie sa aiba id='detaliu-modal-titlu'"
# Nu contine #confirm-form (inputurile nu sunt legate de formularul de confirmare)
assert 'id="confirm-form"' not in html, \
"Fragmentul modal nu trebuie sa contina confirm-form"
def test_salvare_preview_inchide_modal_si_reincarca(client):
"""POST /_import/{id}/rand/0/editeaza cu date valide → inchide modalul + reincarca preview-ul.
Contractul a fost schimbat (dogfood 5.13): OOB swap pe esua tacit in htmx 1.9
(un
brut se pierde la parsarea fragmentului) -> randul ramanea cu starea veche.
Acum raspunsul NU mai contine OOB pe rand; emite HX-Trigger:
- reincarcaPreview -> #import-section isi reincarca preview-ul complet;
- randSalvat (cu nr + stare) -> toast + evidentiere in base.html;
iar HX-Trigger-After-Settle: inchideModal inchide modalul.
Verifica:
- Status 200
- HX-Trigger-After-Settle contine 'inchideModal'
- HX-Trigger contine 'reincarcaPreview' si 'randSalvat' (cu numarul randului)
- Raspunsul NU re-randeaza inline randul/sectiunea (reload via GET)
"""
import json as _json
_seed_op1()
iid = _upload_and_preview(client)
r = client.post(f"/_import/{iid}/rand/0/editeaza", data={
"data_prestatie": "2026-06-15",
})
assert r.status_code == 200, r.text
trigger_settle = r.headers.get("HX-Trigger-After-Settle", "")
assert "inchideModal" in trigger_settle, \
f"HX-Trigger-After-Settle trebuie sa contina 'inchideModal', gasit: '{trigger_settle}'"
trigger = _json.loads(r.headers.get("HX-Trigger", "{}"))
assert trigger.get("reincarcaPreview") is True, \
"HX-Trigger trebuie sa ceara reincarcarea preview-ului (reincarcaPreview)"
assert "randSalvat" in trigger, "HX-Trigger trebuie sa contina detaliile randului salvat"
assert trigger["randSalvat"]["nr"] == 1, "randSalvat.nr = numarul (1-based) al randului editat"
assert "stare" in trigger["randSalvat"], "randSalvat trebuie sa contina noua stare (pentru toast)"
# Raspunsul e doar un stub invizibil — randul real vine din reload, nu din OOB.
assert 'id="preview-row-0"' not in r.text, \
"Noul contract NU mai face OOB swap pe rand (reload complet via reincarcaPreview)"
def test_anuleaza_nu_lasa_rand_orfan(client):
"""Butonul Anuleaza din fragmentul modal inchide modalul fara cerere catre server.
Reproduce eroarea htmx 'TypeError: Cannot read properties of null
(reading htmx-internal-data)' (R5) — generata de ramura editing inline care
facea un GET pe /_import/.../rand/{i} la Anuleaza, iar dupa stergerea randului
din DOM, htmx nu mai gasea tinta.
Verifica la nivel de markup: butonul Anuleaza NU are hx-get catre rand.
"""
_seed_op1()
iid = _upload_and_preview(client)
r = client.get(f"/_import/{iid}/rand/0/editare-modal")
assert r.status_code == 200
html = r.text
# Butonul Anuleaza nu trebuie sa aiba hx-get catre ruta randului
# (eroarea htmx aparea exact din aceasta cerere)
# Cauta pattern-ul care ar produce eroarea: hx-get catre rand display (fara sufix)
assert f'hx-get="/_import/{iid}/rand/0"' not in html, \
"Butonul Anuleaza NU trebuie sa faca GET pe /_import/.../rand/0 (produce eroare htmx)"
# Fragmentul modal trebuie sa aiba un mecanism de inchidere fara request
# (data-modal-close sau onclick cu window.inchideDetaliu)
has_modal_close = "data-modal-close" in html or "inchideDetaliu" in html
assert has_modal_close, \
"Butonul Anuleaza trebuie sa inchida modalul local (data-modal-close sau inchideDetaliu)"
def test_editare_preview_scoped_404_alt_cont(client_auth):
"""GET si POST editare-modal pe un rand al altui cont → 404 (scoping JOIN).
Nu confirmam existenta rand-ului cross-account (acelasi mesaj ca inexistent).
"""
from app.db import get_connection
from app.accounts import create_account
from app.users import create_user
# Creeaza doua conturi
conn = get_connection()
try:
acct1 = create_account(conn, "Firma A", active=True)
create_user(conn, acct1, "user_a@test.com", "parola123secure")
acct2 = create_account(conn, "Firma B", active=True)
create_user(conn, acct2, "user_b@test.com", "parola123secure")
finally:
conn.close()
# Seed nomenclator pentru ambele conturi (global)
_seed_op1(acct1)
# Login ca user A si creeaza batch
_login(client_auth, "user_a@test.com")
iid = _upload_and_preview(client_auth)
# Login ca user B si incearca sa acceseze batch-ul lui A
_login(client_auth, "user_b@test.com")
r_get = client_auth.get(f"/_import/{iid}/rand/0/editare-modal")
assert r_get.status_code == 404, \
f"GET editare-modal cross-account trebuie sa returneze 404, got {r_get.status_code}"
r_post = client_auth.post(f"/_import/{iid}/rand/0/editeaza", data={
"data_prestatie": "2026-06-20",
"csrf_token": "dummy",
})
assert r_post.status_code in (403, 404), \
f"POST editeaza cross-account trebuie sa returneze 403/404, got {r_post.status_code}"
def test_editare_batch_committed_409(client):
"""POST editeaza pe un batch deja comis → 409.
Guard committed: batch trimis ireversibil nu mai poate fi editat
(editarea nu mai are efect downstream).
"""
from app.db import get_connection
_seed_op1()
iid = _upload_and_preview(client)
# Marcheaza batch ca committed
conn = get_connection()
try:
conn.execute("UPDATE import_batches SET status='committed' WHERE id=?", (iid,))
conn.commit()
finally:
conn.close()
r = client.post(f"/_import/{iid}/rand/0/editeaza", data={
"data_prestatie": "2026-06-20",
})
assert r.status_code == 409, \
f"Editare pe batch committed trebuie sa returneze 409, got {r.status_code}"
def test_submissions_neatins_dupa_editare_preview(client):
"""INVARIANT CRITIC (R2): dupa editarea unui rand de preview, tabela submissions
ramane NEATINSA.
Editarea preview = override-only pe import_rows.override_json.
NU re-queue, NU insereaza, NU modifica submissions.
"""
_seed_op1()
iid = _upload_and_preview(client)
# Numara submissions inainte de editare
n_before = _count_submissions()
# Editeaza randul 0
r = client.post(f"/_import/{iid}/rand/0/editeaza", data={
"data_prestatie": "2026-06-15",
})
assert r.status_code == 200, r.text
# Verifica ca submissions nu a fost atinsa
n_after = _count_submissions()
assert n_after == n_before, (
f"Editarea preview a atins tabela submissions! "
f"Inainte: {n_before}, dupa: {n_after}. "
"Editarea trebuie sa fie override-only (import_rows.override_json), NU re-queue."
)
def test_eroare_validare_modalul_ramane_deschis(client):
"""POST editeaza cu data invalida → raspuns 200 cu formularul si erorile per-camp.
La eroare de validare, modalul ramane deschis cu valorile introduse si mesajele
de eroare per-camp. NU emite inchideModal.
"""
_seed_op1()
iid = _upload_and_preview(client)
r = client.post(f"/_import/{iid}/rand/0/editeaza", data={
"data_prestatie": "data-invalida",
})
assert r.status_code == 200, r.text
html = r.text
# Formularul trebuie sa fie prezent (modalul ramane deschis)
assert f'hx-post="/_import/{iid}/rand/0/editeaza"' in html, \
"La eroare de validare, formularul trebuie sa ramana in modal"
# NU emite inchideModal (modalul ramane deschis)
trigger = r.headers.get("HX-Trigger-After-Settle", "")
assert "inchideModal" not in trigger, \
"La eroare de validare, NU trebuie emis inchideModal"
# Valoarea invalida pastrata (pentru corectie usoara)
assert "data-invalida" in html, "Valoarea invalida trebuie pastrata in formular"
# Mesaj de eroare per-camp
assert "data" in html.lower(), "Trebuie sa existe mesaj de eroare legat de data"
def test_preview_buton_editeaza_tinteste_detaliu_modal_body(client):
"""Butonul 'Editeaza' din tabelul de preview tinteste #detaliu-modal-body,
nu randul inline (#preview-row-N).
Verifica ca in fragmentul preview, butonul de editare are:
- hx-target="#detaliu-modal-body"
- URL catre endpoint-ul de editare-modal
"""
_seed_op1()
iid = _upload_and_preview(client)
r = client.get(f"/_import/{iid}/preview")
assert r.status_code == 200, r.text
html = r.text
# Butonul Editeaza trebuie sa tinteasca detaliu-modal-body
assert 'hx-target="#detaliu-modal-body"' in html, \
"Butonul Editeaza trebuie sa aiba hx-target='#detaliu-modal-body'"
# URL de editare prezent (editare-modal sau editare care redirecteaza la modal)
assert f"/_import/{iid}/rand/0/editare" in html, \
"URL-ul de editare trebuie sa fie prezent in preview"
# NU mai exista clasa preview-edit pe randuri (ramura inline eliminata)
assert 'class="preview-edit"' not in html, \
"Clasa 'preview-edit' (randul inline) nu trebuie sa fie in preview dupa US-006"
# NU mai exista atribut data-editing="1" pe randuri (mutual-exclusion eliminata)
assert 'data-editing="1"' not in html, \
"Atributul data-editing='1' nu trebuie sa fie pe randuri dupa US-006"
# --------------------------------------------------------------------------- #
# Teste markup Bug 2: btn-editeaza deschide modalul prin open() global (B2) #
# --------------------------------------------------------------------------- #
def test_btn_editeaza_nu_are_js_inline_open_modal():
"""Bug B2 (markup): butonul .btn-editeaza din _preview_rand.html NU trebuie
sa mai deschida modalul cu JS inline (removeAttribute('hidden')).
Deschiderea trebuie sa treaca prin open(triggerRow) din base.html, altfel
nu primeste inert/aria-hidden si focus-trap-ul nu e instalat.
"""
import pathlib
template = (
pathlib.Path(__file__).parent.parent
/ "app/web/templates/_preview_rand.html"
)
html = template.read_text(encoding="utf-8")
# Gasim sectiunea butonului .btn-editeaza
idx = html.find("btn-editeaza")
assert idx >= 0, "Butonul .btn-editeaza nu a fost gasit in template"
btn_section = html[idx:]
# NU trebuie sa existe inline JS care face removeAttribute('hidden') pe modal
assert "removeAttribute('hidden')" not in btn_section, (
"Butonul .btn-editeaza NU trebuie sa mai aiba JS inline care face "
"removeAttribute('hidden') — deschiderea trebuie sa treaca prin "
"open(triggerRow) din base.html pentru focus-trap + inert pe ."
)
# NU trebuie sa existe hx-on:htmx:before-request inline pe btn-editeaza
# (mecanismul de deschidere trebuie sa fie in handler-ul global din base.html)
assert "hx-on:htmx:before-request" not in btn_section.split("")[0] \
and "hx-on::before-request" not in btn_section.split("")[0], (
"Butonul .btn-editeaza NU trebuie sa aiba hx-on:htmx:before-request inline. "
"Deschiderea modalului trebuie sa fie in handler-ul global din base.html."
)
def test_base_html_deschide_modal_pentru_btn_editeaza():
"""Bug B2 (markup): handler-ul htmx:beforeRequest din base.html trebuie sa
apeleze open() si pentru butonul .btn-editeaza (nu doar pentru .trimitere-row).
Fara aceasta generalizare, nu primeste inert/aria-hidden, focus-trap-ul
nu e instalat si focusul nu e readus pe buton la inchidere (US-006).
"""
import pathlib
base = (
pathlib.Path(__file__).parent.parent
/ "app/web/templates/base.html"
)
html = base.read_text(encoding="utf-8")
# Handler-ul htmx:beforeRequest trebuie sa tina cont de btn-editeaza
# SAU de hx-target="#detaliu-modal-body" (oricare din cele doua abordari e OK)
handler_idx = html.find("htmx:beforeRequest")
assert handler_idx >= 0, "Handler-ul htmx:beforeRequest nu a fost gasit in base.html"
# Cauta in zona handler-ului (urmatoarele 500 de caractere)
handler_zone = html[handler_idx:handler_idx + 500]
handles_btn_editeaza = (
"btn-editeaza" in handler_zone
or 'detaliu-modal-body' in handler_zone
or "editare-modal" in handler_zone
)
assert handles_btn_editeaza, (
"Handler-ul htmx:beforeRequest din base.html trebuie sa trateze si butonul "
".btn-editeaza (sau sa verifice hx-target='#detaliu-modal-body') pentru a "
"apela open() si instala focus-trap-ul (US-006)."
)