cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Prevent CSRF bypass with login form

Browse source
This commit is contained in:
Tom Hughes 2021-02-10 19:37:51 +00:00
parent a17bd24f82
commit 1f136a84a6
5 changed files with 33 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
test/integration/oauth_test.rb
View file

@ -6,8 +6,9 @@ class OAuthTest < ActionDispatch::IntegrationTest
def test_oauth10_web_app
client = create(:client_application, :callback_url => "http://some.web.app.example.org/callback", :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
post "/login", :params => { :username => client.user.email, :password => "test" }
get "/login"
follow_redirect!
post "/login", :params => { :username => client.user.email, :password => "test" }
follow_redirect!
assert_response :success
@ -19,8 +20,9 @@ class OAuthTest < ActionDispatch::IntegrationTest
def test_oauth10_desktop_app
client = create(:client_application, :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
post "/login", :params => { :username => client.user.email, :password => "test" }
get "/login"
follow_redirect!
post "/login", :params => { :username => client.user.email, :password => "test" }
follow_redirect!
assert_response :success
@ -31,8 +33,9 @@ class OAuthTest < ActionDispatch::IntegrationTest
def test_oauth10a_web_app
client = create(:client_application, :callback_url => "http://some.web.app.example.org/callback", :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
post "/login", :params => { :username => client.user.email, :password => "test" }
get "/login"
follow_redirect!
post "/login", :params => { :username => client.user.email, :password => "test" }
follow_redirect!
assert_response :success
@ -44,8 +47,9 @@ class OAuthTest < ActionDispatch::IntegrationTest
def test_oauth10a_desktop_app
client = create(:client_application, :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
post "/login", :params => { :username => client.user.email, :password => "test" }
get "/login"
follow_redirect!
post "/login", :params => { :username => client.user.email, :password => "test" }
follow_redirect!
assert_response :success

4
test/integration/page_locale_test.rb
View file

@ -12,6 +12,8 @@ class PageLocaleTest < ActionDispatch::IntegrationTest
def test_defaulting
user = create(:user, :languages => [])
get "/login"
follow_redirect!
post "/login", :params => { :username => user.email, :password => "test" }
follow_redirect!
@ -33,6 +35,8 @@ class PageLocaleTest < ActionDispatch::IntegrationTest
get "/diary", :params => { :locale => "es" }
assert_select "html[lang=?]", "es"
get "/login"
follow_redirect!
post "/login", :params => { :username => user.email, :password => "test" }
follow_redirect!