From 834eecd0f14b51752f6f16d9d5a3557338a8549b Mon Sep 17 00:00:00 2001
From: Leo Hemsted <leo.hemsted@digital.cabinet-office.gov.uk>
Date: Fri, 10 Nov 2017 15:24:37 +0000
Subject: [PATCH] make sure you can't edit password

---
 tests/app/user/test_rest.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tests/app/user/test_rest.py b/tests/app/user/test_rest.py
index 8c97e5d70..00444ea64 100644
--- a/tests/app/user/test_rest.py
+++ b/tests/app/user/test_rest.py
@@ -564,3 +564,13 @@ def test_cannot_update_user_with_mobile_number_as_empty_string(admin_request, sa
         _expected_status=400
     )
     assert resp['message']['mobile_number'] == ['Invalid phone number: Not enough digits']
+
+
+def test_cannot_update_user_password_using_attributes_method(admin_request, sample_user):
+    resp = admin_request.post(
+        'user.update_user_attribute',
+        user_id=sample_user.id,
+        _data={'password': 'foo'},
+        _expected_status=400
+    )
+    assert resp['message']['_schema'] == ['Unknown field name password']