arno
/
isso
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix CSRF test

Browse Source
pull/108/head
Martin Zimmermann 10 years ago
parent 3809f49f98
commit e2e69c4124
1 changed files with 18 additions and 13 deletions
Show Stats Download Patch File Download Diff File

31
isso/tests/views/test_api.py
Unescape View File

@ -7,11 +7,13 @@ import json
import unittest
from werkzeug.test import Client
from werkzeug.wrappers import Response
from werkzeug.test import Client, EnvironBuilder
from werkzeug.wrappers import Response, Request
from werkzeug.exceptions import Forbidden
from isso import Isso, config, dist
from isso.utils import http
from isso.views.api import xhr
class FakeIP(object):
@ -160,20 +162,23 @@ class TestComments(unittest.TestCase):
def testCSRF(self):
js = "application/json"
form = "application/x-www-form-urlencoded"
csrf = xhr(lambda *x, **z: True)
self.post('/new?uri=%2F', data=json.dumps({"text": "..."}))
def build(**kw):
environ = EnvironBuilder(**kw).get_environ()
return environ, Request(environ)
# no header is fine (default for XHR)
self.assertEqual(self.post('/id/1/dislike', content_type="").status_code, 200)
# x-www-form-urlencoded is definitely not RESTful
self.assertEqual(self.post('/id/1/dislike', content_type=form).status_code, 403)
self.assertEqual(self.post('/new?uri=%2F', data=json.dumps({"text": "..."}),
content_type=form).status_code, 403)
# just for the record
self.assertEqual(self.post('/id/1/dislike', content_type=js).status_code, 200)
env, req = build()
self.assertTrue(csrf(None, env, req))
# for the record
env, req = build(content_type="application/json")
self.assertTrue(csrf(None, env, req))
# # x-www-form-urlencoded is definitely not RESTful
env, req = build(content_type="application/x-www-form-urlencoded")
self.assertRaises(Forbidden, csrf, None, env, req)
def testCookieExpiration(self):

Write Preview
Loading…
Cancel
Save