imacat/mia-accounting
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 41 Wiki Activity

Added CSRF to the test_next_uri test in the NextUriTestCase test case.

Browse Source
This commit is contained in:
依瑪貓 2023-02-27 15:35:35 +08:00
parent 685213cdbb
commit 6d43b14862
1 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
tests/test_utils.py
View File

@ -21,12 +21,12 @@ import unittest
from urllib.parse import quote_plus from urllib.parse import quote_plus
import httpx import httpx
from flask import Flask, request from flask import Flask, request, render_template_string
from accounting.utils.next_uri import append_next, inherit_next, or_next from accounting.utils.next_uri import append_next, inherit_next, or_next
from accounting.utils.pagination import Pagination, DEFAULT_PAGE_SIZE from accounting.utils.pagination import Pagination, DEFAULT_PAGE_SIZE
from accounting.utils.query import parse_query_keywords from accounting.utils.query import parse_query_keywords
from test_site import create_app, csrf from test_site import create_app
class NextUriTestCase(unittest.TestCase): class NextUriTestCase(unittest.TestCase):
@ -40,8 +40,12 @@ class NextUriTestCase(unittest.TestCase):
app: Flask = create_app(is_testing=True) app: Flask = create_app(is_testing=True)
target: str = "/target" target: str = "/target"
@app.get("/test-csrf")
def test_csrf() -> str:
"""The test view to return the CSRF token."""
return render_template_string("{{csrf_token()}}")
@app.route("/test-next", methods=["GET", "POST"]) @app.route("/test-next", methods=["GET", "POST"])
@csrf.exempt
def test_next_view() -> str: def test_next_view() -> str:
"""The test view with the next URI.""" """The test view with the next URI."""
current_uri: str = request.full_path if request.query_string \ current_uri: str = request.full_path if request.query_string \
@ -56,7 +60,6 @@ class NextUriTestCase(unittest.TestCase):
return "" return ""
@app.route("/test-no-next", methods=["GET", "POST"]) @app.route("/test-no-next", methods=["GET", "POST"])
@csrf.exempt
def test_no_next_view() -> str: def test_no_next_view() -> str:
"""The test view without the next URI.""" """The test view without the next URI."""
current_uri: str = request.full_path if request.query_string \ current_uri: str = request.full_path if request.query_string \
@ -70,19 +73,22 @@ class NextUriTestCase(unittest.TestCase):
client: httpx.Client = httpx.Client(app=app, client: httpx.Client = httpx.Client(app=app,
base_url="https://testserver") base_url="https://testserver")
client.headers["Referer"] = "https://testserver" client.headers["Referer"] = "https://testserver"
csrf_token: str = client.get("/test-csrf").text
response: httpx.Response response: httpx.Response
# With the next URI # With the next URI
response = client.get("/test-next?next=/next&q=abc&page-no=4") response = client.get("/test-next?next=/next&q=abc&page-no=4")
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
response = client.post("/test-next", data={"next": "/next", response = client.post("/test-next", data={"csrf_token": csrf_token,
"next": "/next",
"name": "viewer"}) "name": "viewer"})
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
# Without the next URI # Without the next URI
response = client.get("/test-no-next?q=abc&page-no=4") response = client.get("/test-no-next?q=abc&page-no=4")
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
response = client.post("/test-no-next", data={"name": "viewer"}) response = client.post("/test-no-next", data={"csrf_token": csrf_token,
"name": "viewer"})
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)