Fix tests according to issue #224

This commit is contained in:
Martin Pépin 2019-10-05 02:25:05 +02:00
parent 96adadce5e
commit e0285607a0
No known key found for this signature in database
GPG key ID: E7520278B1774448
2 changed files with 119 additions and 4 deletions

View file

@ -36,8 +36,7 @@ class TestStats(TestCase):
client2 = Client() client2 = Client()
client2.login(username="Barfoo", password="barfoo") client2.login(username="Barfoo", password="barfoo")
# 1. FOO should be able to get these pages but BAR receives a Forbidden # 1. FOO should be able to get these pages but BAR receives a 404
# response
user_urls = [ user_urls = [
"/k-fet/accounts/FOO/stat/operations/list", "/k-fet/accounts/FOO/stat/operations/list",
"/k-fet/accounts/FOO/stat/operations?{}".format( "/k-fet/accounts/FOO/stat/operations?{}".format(
@ -57,7 +56,7 @@ class TestStats(TestCase):
resp = client.get(url) resp = client.get(url)
self.assertEqual(200, resp.status_code) self.assertEqual(200, resp.status_code)
resp2 = client2.get(url) resp2 = client2.get(url)
self.assertEqual(403, resp2.status_code) self.assertEqual(404, resp2.status_code)
# 2. FOO is a member of the team and can get these pages but BAR # 2. FOO is a member of the team and can get these pages but BAR
# receives a Redirect response # receives a Redirect response

View file

@ -209,6 +209,25 @@ class AccountReadViewTests(ViewTestCaseMixin, TestCase):
auth_user = "team" auth_user = "team"
auth_forbidden = [None, "user"] auth_forbidden = [None, "user"]
# Forbidden users should get a 404 here, to avoid leaking trigrams
# See issue #224
def test_forbidden(self):
for user in self.auth_forbidden:
self.check_forbidden(user, self.url_expected)
self.check_forbidden(user, "/k-fet/accounts/NEX")
def check_forbidden(self, user, url):
client = Client()
if user is None:
response = client.get(url)
self.assertRedirects(
response, "/login?next={}".format(url), fetch_redirect_response=False
)
else:
client.login(username=user, password=user)
response = client.get(url)
self.assertEqual(response.status_code, 404)
def get_users_extra(self): def get_users_extra(self):
return {"user1": create_user("user1", "001")} return {"user1": create_user("user1", "001")}
@ -296,6 +315,27 @@ class AccountUpdateViewTests(ViewTestCaseMixin, TestCase):
"team1": create_team("team1", "101", perms=["kfet.change_account"]), "team1": create_team("team1", "101", perms=["kfet.change_account"]),
} }
# Forbidden users should get a 404 here, to avoid leaking trigrams
# See issue #224
def test_forbidden(self):
for method in ["get", "post"]:
for user in self.auth_forbidden:
self.check_forbidden(user, method, self.url_expected)
self.check_forbidden(user, method, "/k-fet/accounts/NEX/edit")
def check_forbidden(self, user, method, url):
client = Client()
meth = getattr(client, method)
if user is None:
response = meth(url)
self.assertRedirects(
response, "/login?next={}".format(url), fetch_redirect_response=False
)
else:
client.login(username=user, password=user)
response = meth(url)
self.assertEqual(response.status_code, 404)
def test_get_ok(self): def test_get_ok(self):
r = self.client.get(self.url) r = self.client.get(self.url)
self.assertEqual(r.status_code, 200) self.assertEqual(r.status_code, 200)
@ -375,7 +415,7 @@ class AccountDeleteViewTests(ViewTestCaseMixin, TestCase):
if Account.objects.get(trigramme=trigramme).readable: if Account.objects.get(trigramme=trigramme).readable:
expected_code = 200 expected_code = 200
else: else:
expected_code = 403 expected_code = 404
r = self.client.post( r = self.client.post(
reverse(self.url_name, kwargs={"trigramme": trigramme}), {} reverse(self.url_name, kwargs={"trigramme": trigramme}), {}
) )
@ -555,6 +595,25 @@ class AccountStatOperationListViewTests(ViewTestCaseMixin, TestCase):
def get_users_extra(self): def get_users_extra(self):
return {"user1": create_user("user1", "001")} return {"user1": create_user("user1", "001")}
# Forbidden users should get a 404 here, to avoid leaking trigrams
# See issue #224
def test_forbidden(self):
for user in self.auth_forbidden:
self.check_forbidden(user, self.url_expected)
self.check_forbidden(user, "/k-fet/accounts/NEX/stat/operations/list")
def check_forbidden(self, user, url):
client = Client()
if user is None:
response = client.get(url)
self.assertRedirects(
response, "/login?next={}".format(url), fetch_redirect_response=False
)
else:
client.login(username=user, password=user)
response = client.get(url)
self.assertEqual(response.status_code, 404)
def test_ok(self): def test_ok(self):
r = self.client.get(self.url) r = self.client.get(self.url)
self.assertEqual(r.status_code, 200) self.assertEqual(r.status_code, 200)
@ -616,6 +675,25 @@ class AccountStatOperationViewTests(ViewTestCaseMixin, TestCase):
auth_user = "user1" auth_user = "user1"
auth_forbidden = [None, "user", "team"] auth_forbidden = [None, "user", "team"]
# Forbidden users should get a 404 here, to avoid leaking trigrams
# See issue #224
def test_forbidden(self):
for user in self.auth_forbidden:
self.check_forbidden(user, self.url_expected)
self.check_forbidden(user, "/k-fet/accounts/NEX/stat/operations")
def check_forbidden(self, user, url):
client = Client()
if user is None:
response = client.get(url)
self.assertRedirects(
response, "/login?next={}".format(url), fetch_redirect_response=False
)
else:
client.login(username=user, password=user)
response = client.get(url)
self.assertEqual(response.status_code, 404)
def get_users_extra(self): def get_users_extra(self):
return {"user1": create_user("user1", "001")} return {"user1": create_user("user1", "001")}
@ -632,6 +710,25 @@ class AccountStatBalanceListViewTests(ViewTestCaseMixin, TestCase):
auth_user = "user1" auth_user = "user1"
auth_forbidden = [None, "user", "team"] auth_forbidden = [None, "user", "team"]
# Forbidden users should get a 404 here, to avoid leaking trigrams
# See issue #224
def test_forbidden(self):
for user in self.auth_forbidden:
self.check_forbidden(user, self.url_expected)
self.check_forbidden(user, "/k-fet/accounts/NEX/stat/balance/list")
def check_forbidden(self, user, url):
client = Client()
if user is None:
response = client.get(url)
self.assertRedirects(
response, "/login?next={}".format(url), fetch_redirect_response=False
)
else:
client.login(username=user, password=user)
response = client.get(url)
self.assertEqual(response.status_code, 404)
def get_users_extra(self): def get_users_extra(self):
return {"user1": create_user("user1", "001")} return {"user1": create_user("user1", "001")}
@ -677,6 +774,25 @@ class AccountStatBalanceViewTests(ViewTestCaseMixin, TestCase):
auth_user = "user1" auth_user = "user1"
auth_forbidden = [None, "user", "team"] auth_forbidden = [None, "user", "team"]
# Forbidden users should get a 404 here, to avoid leaking trigrams
# See issue #224
def test_forbidden(self):
for user in self.auth_forbidden:
self.check_forbidden(user, self.url_expected)
self.check_forbidden(user, "/k-fet/accounts/NEX/stat/balance")
def check_forbidden(self, user, url):
client = Client()
if user is None:
response = client.get(url)
self.assertRedirects(
response, "/login?next={}".format(url), fetch_redirect_response=False
)
else:
client.login(username=user, password=user)
response = client.get(url)
self.assertEqual(response.status_code, 404)
def get_users_extra(self): def get_users_extra(self):
return {"user1": create_user("user1", "001")} return {"user1": create_user("user1", "001")}