Fix tests according to issue #224

2019-10-05 02:25:05 +02:00 · 2019-10-05 02:25:05 +02:00 · e0285607a0
commit e0285607a0
parent 96adadce5e
2 changed files with 119 additions and 4 deletions
--- a/kfet/tests/test_statistic.py
+++ b/kfet/tests/test_statistic.py
@ -36,8 +36,7 @@ class TestStats(TestCase):
        client2 = Client()
        client2.login(username="Barfoo", password="barfoo")

-        # 1. FOO should be able to get these pages but BAR receives a Forbidden
-        # response
+        # 1. FOO should be able to get these pages but BAR receives a 404
        user_urls = [
            "/k-fet/accounts/FOO/stat/operations/list",
            "/k-fet/accounts/FOO/stat/operations?{}".format(
@ -57,7 +56,7 @@ class TestStats(TestCase):
            resp = client.get(url)
            self.assertEqual(200, resp.status_code)
            resp2 = client2.get(url)
-            self.assertEqual(403, resp2.status_code)
+            self.assertEqual(404, resp2.status_code)

        # 2. FOO is a member of the team and can get these pages but BAR
        # receives a Redirect response
--- a/kfet/tests/test_views.py
+++ b/kfet/tests/test_views.py
@ -209,6 +209,25 @@ class AccountReadViewTests(ViewTestCaseMixin, TestCase):
    auth_user = "team"
    auth_forbidden = [None, "user"]

+    # Forbidden users should get a 404 here, to avoid leaking trigrams
+    # See issue #224
+    def test_forbidden(self):
+        for user in self.auth_forbidden:
+            self.check_forbidden(user, self.url_expected)
+            self.check_forbidden(user, "/k-fet/accounts/NEX")
+
+    def check_forbidden(self, user, url):
+        client = Client()
+        if user is None:
+            response = client.get(url)
+            self.assertRedirects(
+                response, "/login?next={}".format(url), fetch_redirect_response=False
+            )
+        else:
+            client.login(username=user, password=user)
+            response = client.get(url)
+            self.assertEqual(response.status_code, 404)
+
    def get_users_extra(self):
        return {"user1": create_user("user1", "001")}

@ -296,6 +315,27 @@ class AccountUpdateViewTests(ViewTestCaseMixin, TestCase):
            "team1": create_team("team1", "101", perms=["kfet.change_account"]),
        }

+    # Forbidden users should get a 404 here, to avoid leaking trigrams
+    # See issue #224
+    def test_forbidden(self):
+        for method in ["get", "post"]:
+            for user in self.auth_forbidden:
+                self.check_forbidden(user, method, self.url_expected)
+                self.check_forbidden(user, method, "/k-fet/accounts/NEX/edit")
+
+    def check_forbidden(self, user, method, url):
+        client = Client()
+        meth = getattr(client, method)
+        if user is None:
+            response = meth(url)
+            self.assertRedirects(
+                response, "/login?next={}".format(url), fetch_redirect_response=False
+            )
+        else:
+            client.login(username=user, password=user)
+            response = meth(url)
+            self.assertEqual(response.status_code, 404)
+
    def test_get_ok(self):
        r = self.client.get(self.url)
        self.assertEqual(r.status_code, 200)
@ -375,7 +415,7 @@ class AccountDeleteViewTests(ViewTestCaseMixin, TestCase):
            if Account.objects.get(trigramme=trigramme).readable:
                expected_code = 200
            else:
-                expected_code = 403
+                expected_code = 404
            r = self.client.post(
                reverse(self.url_name, kwargs={"trigramme": trigramme}), {}
            )
@ -555,6 +595,25 @@ class AccountStatOperationListViewTests(ViewTestCaseMixin, TestCase):
    def get_users_extra(self):
        return {"user1": create_user("user1", "001")}

+    # Forbidden users should get a 404 here, to avoid leaking trigrams
+    # See issue #224
+    def test_forbidden(self):
+        for user in self.auth_forbidden:
+            self.check_forbidden(user, self.url_expected)
+            self.check_forbidden(user, "/k-fet/accounts/NEX/stat/operations/list")
+
+    def check_forbidden(self, user, url):
+        client = Client()
+        if user is None:
+            response = client.get(url)
+            self.assertRedirects(
+                response, "/login?next={}".format(url), fetch_redirect_response=False
+            )
+        else:
+            client.login(username=user, password=user)
+            response = client.get(url)
+            self.assertEqual(response.status_code, 404)
+
    def test_ok(self):
        r = self.client.get(self.url)
        self.assertEqual(r.status_code, 200)
@ -616,6 +675,25 @@ class AccountStatOperationViewTests(ViewTestCaseMixin, TestCase):
    auth_user = "user1"
    auth_forbidden = [None, "user", "team"]

+    # Forbidden users should get a 404 here, to avoid leaking trigrams
+    # See issue #224
+    def test_forbidden(self):
+        for user in self.auth_forbidden:
+            self.check_forbidden(user, self.url_expected)
+            self.check_forbidden(user, "/k-fet/accounts/NEX/stat/operations")
+
+    def check_forbidden(self, user, url):
+        client = Client()
+        if user is None:
+            response = client.get(url)
+            self.assertRedirects(
+                response, "/login?next={}".format(url), fetch_redirect_response=False
+            )
+        else:
+            client.login(username=user, password=user)
+            response = client.get(url)
+            self.assertEqual(response.status_code, 404)
+
    def get_users_extra(self):
        return {"user1": create_user("user1", "001")}

@ -632,6 +710,25 @@ class AccountStatBalanceListViewTests(ViewTestCaseMixin, TestCase):
    auth_user = "user1"
    auth_forbidden = [None, "user", "team"]

+    # Forbidden users should get a 404 here, to avoid leaking trigrams
+    # See issue #224
+    def test_forbidden(self):
+        for user in self.auth_forbidden:
+            self.check_forbidden(user, self.url_expected)
+            self.check_forbidden(user, "/k-fet/accounts/NEX/stat/balance/list")
+
+    def check_forbidden(self, user, url):
+        client = Client()
+        if user is None:
+            response = client.get(url)
+            self.assertRedirects(
+                response, "/login?next={}".format(url), fetch_redirect_response=False
+            )
+        else:
+            client.login(username=user, password=user)
+            response = client.get(url)
+            self.assertEqual(response.status_code, 404)
+
    def get_users_extra(self):
        return {"user1": create_user("user1", "001")}

@ -677,6 +774,25 @@ class AccountStatBalanceViewTests(ViewTestCaseMixin, TestCase):
    auth_user = "user1"
    auth_forbidden = [None, "user", "team"]

+    # Forbidden users should get a 404 here, to avoid leaking trigrams
+    # See issue #224
+    def test_forbidden(self):
+        for user in self.auth_forbidden:
+            self.check_forbidden(user, self.url_expected)
+            self.check_forbidden(user, "/k-fet/accounts/NEX/stat/balance")
+
+    def check_forbidden(self, user, url):
+        client = Client()
+        if user is None:
+            response = client.get(url)
+            self.assertRedirects(
+                response, "/login?next={}".format(url), fetch_redirect_response=False
+            )
+        else:
+            client.login(username=user, password=user)
+            response = client.get(url)
+            self.assertEqual(response.status_code, 404)
+
    def get_users_extra(self):
        return {"user1": create_user("user1", "001")}