forked from DGNum/gestioCOF
Fix tests according to issue #224
This commit is contained in:
parent
96adadce5e
commit
e0285607a0
2 changed files with 119 additions and 4 deletions
|
@ -36,8 +36,7 @@ class TestStats(TestCase):
|
||||||
client2 = Client()
|
client2 = Client()
|
||||||
client2.login(username="Barfoo", password="barfoo")
|
client2.login(username="Barfoo", password="barfoo")
|
||||||
|
|
||||||
# 1. FOO should be able to get these pages but BAR receives a Forbidden
|
# 1. FOO should be able to get these pages but BAR receives a 404
|
||||||
# response
|
|
||||||
user_urls = [
|
user_urls = [
|
||||||
"/k-fet/accounts/FOO/stat/operations/list",
|
"/k-fet/accounts/FOO/stat/operations/list",
|
||||||
"/k-fet/accounts/FOO/stat/operations?{}".format(
|
"/k-fet/accounts/FOO/stat/operations?{}".format(
|
||||||
|
@ -57,7 +56,7 @@ class TestStats(TestCase):
|
||||||
resp = client.get(url)
|
resp = client.get(url)
|
||||||
self.assertEqual(200, resp.status_code)
|
self.assertEqual(200, resp.status_code)
|
||||||
resp2 = client2.get(url)
|
resp2 = client2.get(url)
|
||||||
self.assertEqual(403, resp2.status_code)
|
self.assertEqual(404, resp2.status_code)
|
||||||
|
|
||||||
# 2. FOO is a member of the team and can get these pages but BAR
|
# 2. FOO is a member of the team and can get these pages but BAR
|
||||||
# receives a Redirect response
|
# receives a Redirect response
|
||||||
|
|
|
@ -209,6 +209,25 @@ class AccountReadViewTests(ViewTestCaseMixin, TestCase):
|
||||||
auth_user = "team"
|
auth_user = "team"
|
||||||
auth_forbidden = [None, "user"]
|
auth_forbidden = [None, "user"]
|
||||||
|
|
||||||
|
# Forbidden users should get a 404 here, to avoid leaking trigrams
|
||||||
|
# See issue #224
|
||||||
|
def test_forbidden(self):
|
||||||
|
for user in self.auth_forbidden:
|
||||||
|
self.check_forbidden(user, self.url_expected)
|
||||||
|
self.check_forbidden(user, "/k-fet/accounts/NEX")
|
||||||
|
|
||||||
|
def check_forbidden(self, user, url):
|
||||||
|
client = Client()
|
||||||
|
if user is None:
|
||||||
|
response = client.get(url)
|
||||||
|
self.assertRedirects(
|
||||||
|
response, "/login?next={}".format(url), fetch_redirect_response=False
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
client.login(username=user, password=user)
|
||||||
|
response = client.get(url)
|
||||||
|
self.assertEqual(response.status_code, 404)
|
||||||
|
|
||||||
def get_users_extra(self):
|
def get_users_extra(self):
|
||||||
return {"user1": create_user("user1", "001")}
|
return {"user1": create_user("user1", "001")}
|
||||||
|
|
||||||
|
@ -296,6 +315,27 @@ class AccountUpdateViewTests(ViewTestCaseMixin, TestCase):
|
||||||
"team1": create_team("team1", "101", perms=["kfet.change_account"]),
|
"team1": create_team("team1", "101", perms=["kfet.change_account"]),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Forbidden users should get a 404 here, to avoid leaking trigrams
|
||||||
|
# See issue #224
|
||||||
|
def test_forbidden(self):
|
||||||
|
for method in ["get", "post"]:
|
||||||
|
for user in self.auth_forbidden:
|
||||||
|
self.check_forbidden(user, method, self.url_expected)
|
||||||
|
self.check_forbidden(user, method, "/k-fet/accounts/NEX/edit")
|
||||||
|
|
||||||
|
def check_forbidden(self, user, method, url):
|
||||||
|
client = Client()
|
||||||
|
meth = getattr(client, method)
|
||||||
|
if user is None:
|
||||||
|
response = meth(url)
|
||||||
|
self.assertRedirects(
|
||||||
|
response, "/login?next={}".format(url), fetch_redirect_response=False
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
client.login(username=user, password=user)
|
||||||
|
response = meth(url)
|
||||||
|
self.assertEqual(response.status_code, 404)
|
||||||
|
|
||||||
def test_get_ok(self):
|
def test_get_ok(self):
|
||||||
r = self.client.get(self.url)
|
r = self.client.get(self.url)
|
||||||
self.assertEqual(r.status_code, 200)
|
self.assertEqual(r.status_code, 200)
|
||||||
|
@ -375,7 +415,7 @@ class AccountDeleteViewTests(ViewTestCaseMixin, TestCase):
|
||||||
if Account.objects.get(trigramme=trigramme).readable:
|
if Account.objects.get(trigramme=trigramme).readable:
|
||||||
expected_code = 200
|
expected_code = 200
|
||||||
else:
|
else:
|
||||||
expected_code = 403
|
expected_code = 404
|
||||||
r = self.client.post(
|
r = self.client.post(
|
||||||
reverse(self.url_name, kwargs={"trigramme": trigramme}), {}
|
reverse(self.url_name, kwargs={"trigramme": trigramme}), {}
|
||||||
)
|
)
|
||||||
|
@ -555,6 +595,25 @@ class AccountStatOperationListViewTests(ViewTestCaseMixin, TestCase):
|
||||||
def get_users_extra(self):
|
def get_users_extra(self):
|
||||||
return {"user1": create_user("user1", "001")}
|
return {"user1": create_user("user1", "001")}
|
||||||
|
|
||||||
|
# Forbidden users should get a 404 here, to avoid leaking trigrams
|
||||||
|
# See issue #224
|
||||||
|
def test_forbidden(self):
|
||||||
|
for user in self.auth_forbidden:
|
||||||
|
self.check_forbidden(user, self.url_expected)
|
||||||
|
self.check_forbidden(user, "/k-fet/accounts/NEX/stat/operations/list")
|
||||||
|
|
||||||
|
def check_forbidden(self, user, url):
|
||||||
|
client = Client()
|
||||||
|
if user is None:
|
||||||
|
response = client.get(url)
|
||||||
|
self.assertRedirects(
|
||||||
|
response, "/login?next={}".format(url), fetch_redirect_response=False
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
client.login(username=user, password=user)
|
||||||
|
response = client.get(url)
|
||||||
|
self.assertEqual(response.status_code, 404)
|
||||||
|
|
||||||
def test_ok(self):
|
def test_ok(self):
|
||||||
r = self.client.get(self.url)
|
r = self.client.get(self.url)
|
||||||
self.assertEqual(r.status_code, 200)
|
self.assertEqual(r.status_code, 200)
|
||||||
|
@ -616,6 +675,25 @@ class AccountStatOperationViewTests(ViewTestCaseMixin, TestCase):
|
||||||
auth_user = "user1"
|
auth_user = "user1"
|
||||||
auth_forbidden = [None, "user", "team"]
|
auth_forbidden = [None, "user", "team"]
|
||||||
|
|
||||||
|
# Forbidden users should get a 404 here, to avoid leaking trigrams
|
||||||
|
# See issue #224
|
||||||
|
def test_forbidden(self):
|
||||||
|
for user in self.auth_forbidden:
|
||||||
|
self.check_forbidden(user, self.url_expected)
|
||||||
|
self.check_forbidden(user, "/k-fet/accounts/NEX/stat/operations")
|
||||||
|
|
||||||
|
def check_forbidden(self, user, url):
|
||||||
|
client = Client()
|
||||||
|
if user is None:
|
||||||
|
response = client.get(url)
|
||||||
|
self.assertRedirects(
|
||||||
|
response, "/login?next={}".format(url), fetch_redirect_response=False
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
client.login(username=user, password=user)
|
||||||
|
response = client.get(url)
|
||||||
|
self.assertEqual(response.status_code, 404)
|
||||||
|
|
||||||
def get_users_extra(self):
|
def get_users_extra(self):
|
||||||
return {"user1": create_user("user1", "001")}
|
return {"user1": create_user("user1", "001")}
|
||||||
|
|
||||||
|
@ -632,6 +710,25 @@ class AccountStatBalanceListViewTests(ViewTestCaseMixin, TestCase):
|
||||||
auth_user = "user1"
|
auth_user = "user1"
|
||||||
auth_forbidden = [None, "user", "team"]
|
auth_forbidden = [None, "user", "team"]
|
||||||
|
|
||||||
|
# Forbidden users should get a 404 here, to avoid leaking trigrams
|
||||||
|
# See issue #224
|
||||||
|
def test_forbidden(self):
|
||||||
|
for user in self.auth_forbidden:
|
||||||
|
self.check_forbidden(user, self.url_expected)
|
||||||
|
self.check_forbidden(user, "/k-fet/accounts/NEX/stat/balance/list")
|
||||||
|
|
||||||
|
def check_forbidden(self, user, url):
|
||||||
|
client = Client()
|
||||||
|
if user is None:
|
||||||
|
response = client.get(url)
|
||||||
|
self.assertRedirects(
|
||||||
|
response, "/login?next={}".format(url), fetch_redirect_response=False
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
client.login(username=user, password=user)
|
||||||
|
response = client.get(url)
|
||||||
|
self.assertEqual(response.status_code, 404)
|
||||||
|
|
||||||
def get_users_extra(self):
|
def get_users_extra(self):
|
||||||
return {"user1": create_user("user1", "001")}
|
return {"user1": create_user("user1", "001")}
|
||||||
|
|
||||||
|
@ -677,6 +774,25 @@ class AccountStatBalanceViewTests(ViewTestCaseMixin, TestCase):
|
||||||
auth_user = "user1"
|
auth_user = "user1"
|
||||||
auth_forbidden = [None, "user", "team"]
|
auth_forbidden = [None, "user", "team"]
|
||||||
|
|
||||||
|
# Forbidden users should get a 404 here, to avoid leaking trigrams
|
||||||
|
# See issue #224
|
||||||
|
def test_forbidden(self):
|
||||||
|
for user in self.auth_forbidden:
|
||||||
|
self.check_forbidden(user, self.url_expected)
|
||||||
|
self.check_forbidden(user, "/k-fet/accounts/NEX/stat/balance")
|
||||||
|
|
||||||
|
def check_forbidden(self, user, url):
|
||||||
|
client = Client()
|
||||||
|
if user is None:
|
||||||
|
response = client.get(url)
|
||||||
|
self.assertRedirects(
|
||||||
|
response, "/login?next={}".format(url), fetch_redirect_response=False
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
client.login(username=user, password=user)
|
||||||
|
response = client.get(url)
|
||||||
|
self.assertEqual(response.status_code, 404)
|
||||||
|
|
||||||
def get_users_extra(self):
|
def get_users_extra(self):
|
||||||
return {"user1": create_user("user1", "001")}
|
return {"user1": create_user("user1", "001")}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue