2008-08-24 02:20:49 +08:00
|
|
|
import os
|
2008-08-01 04:47:53 +08:00
|
|
|
import re
|
2010-03-02 03:58:53 +08:00
|
|
|
import urllib
|
2008-08-24 02:20:49 +08:00
|
|
|
|
|
|
|
from django.conf import settings
|
2010-03-02 03:58:53 +08:00
|
|
|
from django.contrib.auth import SESSION_KEY, REDIRECT_FIELD_NAME
|
2009-04-02 00:37:48 +08:00
|
|
|
from django.contrib.auth.forms import AuthenticationForm
|
2011-02-05 11:49:03 +08:00
|
|
|
from django.contrib.sites.models import Site, RequestSite
|
2008-08-01 04:47:53 +08:00
|
|
|
from django.contrib.auth.models import User
|
|
|
|
from django.test import TestCase
|
|
|
|
from django.core import mail
|
2009-04-02 00:37:48 +08:00
|
|
|
from django.core.urlresolvers import reverse
|
2010-11-28 06:43:33 +08:00
|
|
|
from django.http import QueryDict
|
2008-08-01 04:47:53 +08:00
|
|
|
|
2009-04-10 23:50:51 +08:00
|
|
|
class AuthViewsTestCase(TestCase):
|
|
|
|
"""
|
|
|
|
Helper base class for all the follow test cases.
|
|
|
|
"""
|
2008-08-01 04:47:53 +08:00
|
|
|
fixtures = ['authtestdata.json']
|
2010-11-04 20:31:57 +08:00
|
|
|
urls = 'django.contrib.auth.tests.urls'
|
2008-08-24 02:20:49 +08:00
|
|
|
|
2009-04-10 23:50:51 +08:00
|
|
|
def setUp(self):
|
2009-04-19 11:41:33 +08:00
|
|
|
self.old_LANGUAGES = settings.LANGUAGES
|
|
|
|
self.old_LANGUAGE_CODE = settings.LANGUAGE_CODE
|
|
|
|
settings.LANGUAGES = (('en', 'English'),)
|
|
|
|
settings.LANGUAGE_CODE = 'en'
|
2009-04-10 23:50:51 +08:00
|
|
|
self.old_TEMPLATE_DIRS = settings.TEMPLATE_DIRS
|
|
|
|
settings.TEMPLATE_DIRS = (
|
2010-11-28 06:43:33 +08:00
|
|
|
os.path.join(os.path.dirname(__file__), 'templates'),
|
|
|
|
)
|
2009-04-10 23:50:51 +08:00
|
|
|
|
|
|
|
def tearDown(self):
|
2009-04-19 11:41:33 +08:00
|
|
|
settings.LANGUAGES = self.old_LANGUAGES
|
|
|
|
settings.LANGUAGE_CODE = self.old_LANGUAGE_CODE
|
2009-04-10 23:50:51 +08:00
|
|
|
settings.TEMPLATE_DIRS = self.old_TEMPLATE_DIRS
|
|
|
|
|
2010-09-11 03:38:57 +08:00
|
|
|
def login(self, password='password'):
|
|
|
|
response = self.client.post('/login/', {
|
|
|
|
'username': 'testclient',
|
|
|
|
'password': password
|
|
|
|
}
|
|
|
|
)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 302)
|
|
|
|
self.assertTrue(response['Location'].endswith(settings.LOGIN_REDIRECT_URL))
|
|
|
|
self.assertTrue(SESSION_KEY in self.client.session)
|
2010-09-11 03:38:57 +08:00
|
|
|
|
2009-04-10 23:50:51 +08:00
|
|
|
class PasswordResetTest(AuthViewsTestCase):
|
|
|
|
|
2008-08-01 04:47:53 +08:00
|
|
|
def test_email_not_found(self):
|
|
|
|
"Error is raised if the provided email address isn't currently registered"
|
|
|
|
response = self.client.get('/password_reset/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
2008-08-01 04:47:53 +08:00
|
|
|
response = self.client.post('/password_reset/', {'email': 'not_a_real_email@email.com'})
|
2008-11-07 03:49:24 +08:00
|
|
|
self.assertContains(response, "That e-mail address doesn't have an associated user account")
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(len(mail.outbox), 0)
|
2008-08-24 02:20:49 +08:00
|
|
|
|
2008-08-01 04:47:53 +08:00
|
|
|
def test_email_found(self):
|
|
|
|
"Email is sent if a valid email address is provided for password reset"
|
|
|
|
response = self.client.post('/password_reset/', {'email': 'staffmember@example.com'})
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 302)
|
|
|
|
self.assertEqual(len(mail.outbox), 1)
|
|
|
|
self.assertTrue("http://" in mail.outbox[0].body)
|
|
|
|
self.assertEqual(settings.DEFAULT_FROM_EMAIL, mail.outbox[0].from_email)
|
2010-09-13 06:38:01 +08:00
|
|
|
|
|
|
|
def test_email_found_custom_from(self):
|
|
|
|
"Email is sent if a valid email address is provided for password reset when a custom from_email is provided."
|
|
|
|
response = self.client.post('/password_reset_from_email/', {'email': 'staffmember@example.com'})
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 302)
|
|
|
|
self.assertEqual(len(mail.outbox), 1)
|
|
|
|
self.assertEqual("staffmember@example.com", mail.outbox[0].from_email)
|
2008-08-01 04:47:53 +08:00
|
|
|
|
|
|
|
def _test_confirm_start(self):
|
|
|
|
# Start by creating the email
|
|
|
|
response = self.client.post('/password_reset/', {'email': 'staffmember@example.com'})
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 302)
|
|
|
|
self.assertEqual(len(mail.outbox), 1)
|
2008-08-01 04:47:53 +08:00
|
|
|
return self._read_signup_email(mail.outbox[0])
|
|
|
|
|
|
|
|
def _read_signup_email(self, email):
|
|
|
|
urlmatch = re.search(r"https?://[^/]*(/.*reset/\S*)", email.body)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertTrue(urlmatch is not None, "No URL found in sent email")
|
2008-08-01 04:47:53 +08:00
|
|
|
return urlmatch.group(), urlmatch.groups()[0]
|
|
|
|
|
|
|
|
def test_confirm_valid(self):
|
|
|
|
url, path = self._test_confirm_start()
|
|
|
|
response = self.client.get(path)
|
|
|
|
# redirect to a 'complete' page:
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
|
|
|
self.assertTrue("Please enter your new password" in response.content)
|
2008-08-01 04:47:53 +08:00
|
|
|
|
|
|
|
def test_confirm_invalid(self):
|
|
|
|
url, path = self._test_confirm_start()
|
2009-04-01 00:07:07 +08:00
|
|
|
# Let's munge the token in the path, but keep the same length,
|
|
|
|
# in case the URLconf will reject a different length.
|
2008-08-01 04:47:53 +08:00
|
|
|
path = path[:-5] + ("0"*4) + path[-1]
|
|
|
|
|
|
|
|
response = self.client.get(path)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
|
|
|
self.assertTrue("The password reset link was invalid" in response.content)
|
2008-08-01 04:47:53 +08:00
|
|
|
|
2010-11-04 20:36:55 +08:00
|
|
|
def test_confirm_invalid_user(self):
|
|
|
|
# Ensure that we get a 200 response for a non-existant user, not a 404
|
|
|
|
response = self.client.get('/reset/123456-1-1/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
|
|
|
self.assertTrue("The password reset link was invalid" in response.content)
|
2010-11-04 20:36:55 +08:00
|
|
|
|
2011-01-24 16:02:40 +08:00
|
|
|
def test_confirm_overflow_user(self):
|
|
|
|
# Ensure that we get a 200 response for a base36 user id that overflows int
|
|
|
|
response = self.client.get('/reset/zzzzzzzzzzzzz-1-1/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
|
|
|
self.assertTrue("The password reset link was invalid" in response.content)
|
2011-01-24 16:02:40 +08:00
|
|
|
|
2008-08-01 04:47:53 +08:00
|
|
|
def test_confirm_invalid_post(self):
|
|
|
|
# Same as test_confirm_invalid, but trying
|
|
|
|
# to do a POST instead.
|
|
|
|
url, path = self._test_confirm_start()
|
|
|
|
path = path[:-5] + ("0"*4) + path[-1]
|
|
|
|
|
|
|
|
response = self.client.post(path, {'new_password1': 'anewpassword',
|
|
|
|
'new_password2':' anewpassword'})
|
2008-08-24 02:20:49 +08:00
|
|
|
# Check the password has not been changed
|
2008-08-01 04:47:53 +08:00
|
|
|
u = User.objects.get(email='staffmember@example.com')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertTrue(not u.check_password("anewpassword"))
|
2008-08-01 04:47:53 +08:00
|
|
|
|
|
|
|
def test_confirm_complete(self):
|
|
|
|
url, path = self._test_confirm_start()
|
|
|
|
response = self.client.post(path, {'new_password1': 'anewpassword',
|
|
|
|
'new_password2': 'anewpassword'})
|
|
|
|
# It redirects us to a 'complete' page:
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 302)
|
2008-08-24 02:20:49 +08:00
|
|
|
# Check the password has been changed
|
2008-08-01 04:47:53 +08:00
|
|
|
u = User.objects.get(email='staffmember@example.com')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertTrue(u.check_password("anewpassword"))
|
2008-08-01 04:47:53 +08:00
|
|
|
|
|
|
|
# Check we can't use the link again
|
|
|
|
response = self.client.get(path)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
|
|
|
self.assertTrue("The password reset link was invalid" in response.content)
|
2008-08-01 04:47:53 +08:00
|
|
|
|
|
|
|
def test_confirm_different_passwords(self):
|
|
|
|
url, path = self._test_confirm_start()
|
|
|
|
response = self.client.post(path, {'new_password1': 'anewpassword',
|
|
|
|
'new_password2':' x'})
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
|
|
|
self.assertTrue("The two password fields didn't match" in response.content)
|
2008-08-01 04:47:53 +08:00
|
|
|
|
2009-04-10 23:50:51 +08:00
|
|
|
class ChangePasswordTest(AuthViewsTestCase):
|
2008-08-24 02:20:49 +08:00
|
|
|
|
|
|
|
def fail_login(self, password='password'):
|
|
|
|
response = self.client.post('/login/', {
|
|
|
|
'username': 'testclient',
|
|
|
|
'password': password
|
|
|
|
}
|
|
|
|
)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
|
|
|
self.assertTrue("Please enter a correct username and password. Note that both fields are case-sensitive." in response.content)
|
2008-08-24 02:20:49 +08:00
|
|
|
|
|
|
|
def logout(self):
|
|
|
|
response = self.client.get('/logout/')
|
|
|
|
|
|
|
|
def test_password_change_fails_with_invalid_old_password(self):
|
|
|
|
self.login()
|
|
|
|
response = self.client.post('/password_change/', {
|
|
|
|
'old_password': 'donuts',
|
|
|
|
'new_password1': 'password1',
|
|
|
|
'new_password2': 'password1',
|
|
|
|
}
|
|
|
|
)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
|
|
|
self.assertTrue("Your old password was entered incorrectly. Please enter it again." in response.content)
|
2008-08-24 02:20:49 +08:00
|
|
|
|
|
|
|
def test_password_change_fails_with_mismatched_passwords(self):
|
|
|
|
self.login()
|
|
|
|
response = self.client.post('/password_change/', {
|
|
|
|
'old_password': 'password',
|
|
|
|
'new_password1': 'password1',
|
|
|
|
'new_password2': 'donuts',
|
|
|
|
}
|
|
|
|
)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
|
|
|
self.assertTrue("The two password fields didn't match." in response.content)
|
2008-08-24 02:20:49 +08:00
|
|
|
|
|
|
|
def test_password_change_succeeds(self):
|
|
|
|
self.login()
|
|
|
|
response = self.client.post('/password_change/', {
|
|
|
|
'old_password': 'password',
|
|
|
|
'new_password1': 'password1',
|
|
|
|
'new_password2': 'password1',
|
|
|
|
}
|
|
|
|
)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 302)
|
|
|
|
self.assertTrue(response['Location'].endswith('/password_change/done/'))
|
2008-08-24 02:20:49 +08:00
|
|
|
self.fail_login()
|
|
|
|
self.login(password='password1')
|
|
|
|
|
2009-04-10 23:50:51 +08:00
|
|
|
class LoginTest(AuthViewsTestCase):
|
2009-04-02 00:37:48 +08:00
|
|
|
|
|
|
|
def test_current_site_in_context_after_login(self):
|
|
|
|
response = self.client.get(reverse('django.contrib.auth.views.login'))
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
2011-02-05 11:49:03 +08:00
|
|
|
if Site._meta.installed:
|
|
|
|
site = Site.objects.get_current()
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.context['site'], site)
|
|
|
|
self.assertEqual(response.context['site_name'], site.name)
|
2011-02-05 11:49:03 +08:00
|
|
|
else:
|
|
|
|
self.assertIsInstance(response.context['site'], RequestSite)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertTrue(isinstance(response.context['form'], AuthenticationForm),
|
2009-04-02 00:37:48 +08:00
|
|
|
'Login form is not an AuthenticationForm')
|
2010-03-02 03:58:53 +08:00
|
|
|
|
|
|
|
def test_security_check(self, password='password'):
|
|
|
|
login_url = reverse('django.contrib.auth.views.login')
|
|
|
|
|
|
|
|
# Those URLs should not pass the security check
|
|
|
|
for bad_url in ('http://example.com',
|
|
|
|
'https://example.com',
|
|
|
|
'ftp://exampel.com',
|
|
|
|
'//example.com'):
|
|
|
|
|
|
|
|
nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
|
|
|
|
'url': login_url,
|
|
|
|
'next': REDIRECT_FIELD_NAME,
|
|
|
|
'bad_url': urllib.quote(bad_url)
|
|
|
|
}
|
|
|
|
response = self.client.post(nasty_url, {
|
|
|
|
'username': 'testclient',
|
|
|
|
'password': password,
|
|
|
|
}
|
|
|
|
)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 302)
|
2010-11-28 06:43:33 +08:00
|
|
|
self.assertFalse(bad_url in response['Location'],
|
|
|
|
"%s should be blocked" % bad_url)
|
|
|
|
|
|
|
|
# These URLs *should* still pass the security check
|
|
|
|
for good_url in ('/view/?param=http://example.com',
|
|
|
|
'/view/?param=https://example.com',
|
|
|
|
'/view?param=ftp://exampel.com',
|
|
|
|
'view/?param=//example.com',
|
|
|
|
'https:///',
|
2011-03-02 06:49:18 +08:00
|
|
|
'//testserver/',
|
|
|
|
'/url%20with%20spaces/', # see ticket #12534
|
|
|
|
):
|
2010-11-28 06:43:33 +08:00
|
|
|
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
|
2010-03-02 03:58:53 +08:00
|
|
|
'url': login_url,
|
|
|
|
'next': REDIRECT_FIELD_NAME,
|
2010-11-28 06:43:33 +08:00
|
|
|
'good_url': urllib.quote(good_url)
|
2010-03-02 03:58:53 +08:00
|
|
|
}
|
|
|
|
response = self.client.post(safe_url, {
|
|
|
|
'username': 'testclient',
|
|
|
|
'password': password,
|
|
|
|
}
|
|
|
|
)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 302)
|
2010-11-28 06:43:33 +08:00
|
|
|
self.assertTrue(good_url in response['Location'],
|
|
|
|
"%s should be allowed" % good_url)
|
2010-03-02 03:58:53 +08:00
|
|
|
|
2011-03-02 06:49:18 +08:00
|
|
|
|
2010-11-28 06:43:33 +08:00
|
|
|
class LoginURLSettings(AuthViewsTestCase):
|
|
|
|
urls = 'django.contrib.auth.tests.urls'
|
2011-03-03 23:04:39 +08:00
|
|
|
|
2010-11-28 06:43:33 +08:00
|
|
|
def setUp(self):
|
|
|
|
super(LoginURLSettings, self).setUp()
|
|
|
|
self.old_LOGIN_URL = settings.LOGIN_URL
|
|
|
|
|
|
|
|
def tearDown(self):
|
|
|
|
super(LoginURLSettings, self).tearDown()
|
|
|
|
settings.LOGIN_URL = self.old_LOGIN_URL
|
|
|
|
|
|
|
|
def get_login_required_url(self, login_url):
|
|
|
|
settings.LOGIN_URL = login_url
|
|
|
|
response = self.client.get('/login_required/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 302)
|
2010-11-28 06:43:33 +08:00
|
|
|
return response['Location']
|
|
|
|
|
|
|
|
def test_standard_login_url(self):
|
|
|
|
login_url = '/login/'
|
|
|
|
login_required_url = self.get_login_required_url(login_url)
|
|
|
|
querystring = QueryDict('', mutable=True)
|
|
|
|
querystring['next'] = '/login_required/'
|
|
|
|
self.assertEqual(login_required_url,
|
2010-12-02 06:25:17 +08:00
|
|
|
'http://testserver%s?%s' % (login_url, querystring.urlencode('/')))
|
2010-11-28 06:43:33 +08:00
|
|
|
|
|
|
|
def test_remote_login_url(self):
|
|
|
|
login_url = 'http://remote.example.com/login'
|
|
|
|
login_required_url = self.get_login_required_url(login_url)
|
|
|
|
querystring = QueryDict('', mutable=True)
|
|
|
|
querystring['next'] = 'http://testserver/login_required/'
|
|
|
|
self.assertEqual(login_required_url,
|
2010-12-02 06:25:17 +08:00
|
|
|
'%s?%s' % (login_url, querystring.urlencode('/')))
|
2010-11-28 06:43:33 +08:00
|
|
|
|
|
|
|
def test_https_login_url(self):
|
|
|
|
login_url = 'https:///login/'
|
|
|
|
login_required_url = self.get_login_required_url(login_url)
|
|
|
|
querystring = QueryDict('', mutable=True)
|
|
|
|
querystring['next'] = 'http://testserver/login_required/'
|
|
|
|
self.assertEqual(login_required_url,
|
2010-12-02 06:25:17 +08:00
|
|
|
'%s?%s' % (login_url, querystring.urlencode('/')))
|
2010-11-28 06:43:33 +08:00
|
|
|
|
|
|
|
def test_login_url_with_querystring(self):
|
|
|
|
login_url = '/login/?pretty=1'
|
|
|
|
login_required_url = self.get_login_required_url(login_url)
|
|
|
|
querystring = QueryDict('pretty=1', mutable=True)
|
|
|
|
querystring['next'] = '/login_required/'
|
|
|
|
self.assertEqual(login_required_url, 'http://testserver/login/?%s' %
|
2010-12-02 06:25:17 +08:00
|
|
|
querystring.urlencode('/'))
|
2010-11-28 06:43:33 +08:00
|
|
|
|
|
|
|
def test_remote_login_url_with_next_querystring(self):
|
|
|
|
login_url = 'http://remote.example.com/login/'
|
|
|
|
login_required_url = self.get_login_required_url('%s?next=/default/' %
|
|
|
|
login_url)
|
|
|
|
querystring = QueryDict('', mutable=True)
|
|
|
|
querystring['next'] = 'http://testserver/login_required/'
|
|
|
|
self.assertEqual(login_required_url, '%s?%s' % (login_url,
|
2010-12-02 06:25:17 +08:00
|
|
|
querystring.urlencode('/')))
|
|
|
|
|
|
|
|
|
2009-04-10 23:50:51 +08:00
|
|
|
class LogoutTest(AuthViewsTestCase):
|
2009-04-02 01:02:32 +08:00
|
|
|
urls = 'django.contrib.auth.tests.urls'
|
|
|
|
|
|
|
|
def confirm_logged_out(self):
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertTrue(SESSION_KEY not in self.client.session)
|
2009-04-02 01:02:32 +08:00
|
|
|
|
|
|
|
def test_logout_default(self):
|
|
|
|
"Logout without next_page option renders the default template"
|
|
|
|
self.login()
|
|
|
|
response = self.client.get('/logout/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(200, response.status_code)
|
|
|
|
self.assertTrue('Logged out' in response.content)
|
2009-04-02 01:02:32 +08:00
|
|
|
self.confirm_logged_out()
|
|
|
|
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
def test_14377(self):
|
|
|
|
# Bug 14377
|
|
|
|
self.login()
|
|
|
|
response = self.client.get('/logout/')
|
|
|
|
self.assertTrue('site' in response.context)
|
|
|
|
|
2011-03-02 20:47:44 +08:00
|
|
|
def test_logout_with_overridden_redirect_url(self):
|
|
|
|
# Bug 11223
|
|
|
|
self.login()
|
|
|
|
response = self.client.get('/logout/next_page/')
|
|
|
|
self.assertEqual(response.status_code, 302)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertTrue(response['Location'].endswith('/somewhere/'))
|
2011-03-02 20:47:44 +08:00
|
|
|
|
|
|
|
response = self.client.get('/logout/next_page/?next=/login/')
|
|
|
|
self.assertEqual(response.status_code, 302)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertTrue(response['Location'].endswith('/login/'))
|
2011-03-02 20:47:44 +08:00
|
|
|
|
|
|
|
self.confirm_logged_out()
|
|
|
|
|
2011-03-03 23:04:39 +08:00
|
|
|
def test_logout_with_next_page_specified(self):
|
2009-04-02 01:02:32 +08:00
|
|
|
"Logout with next_page option given redirects to specified resource"
|
|
|
|
self.login()
|
|
|
|
response = self.client.get('/logout/next_page/')
|
|
|
|
self.assertEqual(response.status_code, 302)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertTrue(response['Location'].endswith('/somewhere/'))
|
2009-04-02 01:02:32 +08:00
|
|
|
self.confirm_logged_out()
|
|
|
|
|
|
|
|
def test_logout_with_redirect_argument(self):
|
|
|
|
"Logout with query string redirects to specified resource"
|
|
|
|
self.login()
|
|
|
|
response = self.client.get('/logout/?next=/login/')
|
|
|
|
self.assertEqual(response.status_code, 302)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertTrue(response['Location'].endswith('/login/'))
|
2009-04-02 01:02:32 +08:00
|
|
|
self.confirm_logged_out()
|
|
|
|
|
|
|
|
def test_logout_with_custom_redirect_argument(self):
|
|
|
|
"Logout with custom query string redirects to specified resource"
|
|
|
|
self.login()
|
|
|
|
response = self.client.get('/logout/custom_query/?follow=/somewhere/')
|
|
|
|
self.assertEqual(response.status_code, 302)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertTrue(response['Location'].endswith('/somewhere/'))
|
2009-04-19 11:41:33 +08:00
|
|
|
self.confirm_logged_out()
|
2011-03-02 20:47:44 +08:00
|
|
|
|
|
|
|
def test_security_check(self, password='password'):
|
|
|
|
logout_url = reverse('django.contrib.auth.views.logout')
|
|
|
|
|
|
|
|
# Those URLs should not pass the security check
|
|
|
|
for bad_url in ('http://example.com',
|
|
|
|
'https://example.com',
|
|
|
|
'ftp://exampel.com',
|
|
|
|
'//example.com'
|
|
|
|
):
|
|
|
|
nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
|
|
|
|
'url': logout_url,
|
|
|
|
'next': REDIRECT_FIELD_NAME,
|
|
|
|
'bad_url': urllib.quote(bad_url)
|
|
|
|
}
|
|
|
|
self.login()
|
|
|
|
response = self.client.get(nasty_url)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 302)
|
2011-03-02 20:47:44 +08:00
|
|
|
self.assertFalse(bad_url in response['Location'],
|
|
|
|
"%s should be blocked" % bad_url)
|
|
|
|
self.confirm_logged_out()
|
|
|
|
|
|
|
|
# These URLs *should* still pass the security check
|
|
|
|
for good_url in ('/view/?param=http://example.com',
|
|
|
|
'/view/?param=https://example.com',
|
|
|
|
'/view?param=ftp://exampel.com',
|
|
|
|
'view/?param=//example.com',
|
|
|
|
'https:///',
|
|
|
|
'//testserver/',
|
|
|
|
'/url%20with%20spaces/', # see ticket #12534
|
|
|
|
):
|
|
|
|
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
|
|
|
|
'url': logout_url,
|
|
|
|
'next': REDIRECT_FIELD_NAME,
|
|
|
|
'good_url': urllib.quote(good_url)
|
|
|
|
}
|
|
|
|
self.login()
|
|
|
|
response = self.client.get(safe_url)
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 302)
|
2011-03-02 20:47:44 +08:00
|
|
|
self.assertTrue(good_url in response['Location'],
|
|
|
|
"%s should be allowed" % good_url)
|
|
|
|
self.confirm_logged_out()
|