2010-08-27 21:55:11 +08:00
|
|
|
import os
|
2010-08-28 19:59:14 +08:00
|
|
|
from django.contrib.auth.models import User
|
2013-03-23 09:57:48 +08:00
|
|
|
from django.contrib.auth.tests.utils import skipIfCustomUser
|
2010-08-27 21:55:11 +08:00
|
|
|
from django.test import TestCase, Client
|
2013-12-23 23:01:13 +08:00
|
|
|
from django.test import override_settings
|
2010-08-27 21:55:11 +08:00
|
|
|
|
2012-04-01 00:03:09 +08:00
|
|
|
|
|
|
|
@override_settings(
|
|
|
|
LOGIN_URL='/accounts/login/',
|
|
|
|
MIDDLEWARE_CLASSES=(
|
|
|
|
'django.middleware.common.CommonMiddleware',
|
|
|
|
'django.contrib.sessions.middleware.SessionMiddleware',
|
|
|
|
'django.middleware.csrf.CsrfViewMiddleware',
|
|
|
|
'django.contrib.auth.middleware.AuthenticationMiddleware',
|
|
|
|
'django.contrib.messages.middleware.MessageMiddleware',
|
|
|
|
'django.contrib.flatpages.middleware.FlatpageFallbackMiddleware',
|
|
|
|
),
|
2012-11-29 00:48:04 +08:00
|
|
|
CSRF_FAILURE_VIEW='django.views.csrf.csrf_failure',
|
2012-04-01 00:03:09 +08:00
|
|
|
TEMPLATE_DIRS=(
|
|
|
|
os.path.join(os.path.dirname(__file__), 'templates'),
|
|
|
|
),
|
2012-05-11 05:09:29 +08:00
|
|
|
SITE_ID=1,
|
2012-04-01 00:03:09 +08:00
|
|
|
)
|
2010-08-27 21:55:11 +08:00
|
|
|
class FlatpageCSRFTests(TestCase):
|
2012-05-11 05:09:29 +08:00
|
|
|
fixtures = ['sample_flatpages', 'example_site']
|
2010-08-27 21:55:11 +08:00
|
|
|
urls = 'django.contrib.flatpages.tests.urls'
|
|
|
|
|
|
|
|
def setUp(self):
|
|
|
|
self.client = Client(enforce_csrf_checks=True)
|
|
|
|
|
|
|
|
def test_view_flatpage(self):
|
|
|
|
"A flatpage can be served through a view, even when the middleware is in use"
|
|
|
|
response = self.client.get('/flatpage_root/flatpage/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
2010-08-27 21:55:11 +08:00
|
|
|
self.assertContains(response, "<p>Isn't it flat!</p>")
|
|
|
|
|
|
|
|
def test_view_non_existent_flatpage(self):
|
|
|
|
"A non-existent flatpage raises 404 when served through a view, even when the middleware is in use"
|
|
|
|
response = self.client.get('/flatpage_root/no_such_flatpage/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 404)
|
2010-08-27 21:55:11 +08:00
|
|
|
|
2013-03-23 09:57:48 +08:00
|
|
|
@skipIfCustomUser
|
2010-08-27 21:55:11 +08:00
|
|
|
def test_view_authenticated_flatpage(self):
|
|
|
|
"A flatpage served through a view can require authentication"
|
|
|
|
response = self.client.get('/flatpage_root/sekrit/')
|
|
|
|
self.assertRedirects(response, '/accounts/login/?next=/flatpage_root/sekrit/')
|
2010-08-28 19:59:14 +08:00
|
|
|
User.objects.create_user('testuser', 'test@example.com', 's3krit')
|
2013-10-25 01:30:03 +08:00
|
|
|
self.client.login(username='testuser', password='s3krit')
|
2010-08-28 19:59:14 +08:00
|
|
|
response = self.client.get('/flatpage_root/sekrit/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
2010-08-28 19:59:14 +08:00
|
|
|
self.assertContains(response, "<p>Isn't it sekrit!</p>")
|
2010-08-27 21:55:11 +08:00
|
|
|
|
|
|
|
def test_fallback_flatpage(self):
|
2014-03-02 22:25:53 +08:00
|
|
|
"A flatpage can be served by the fallback middleware"
|
2010-08-27 21:55:11 +08:00
|
|
|
response = self.client.get('/flatpage/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 200)
|
2010-08-27 21:55:11 +08:00
|
|
|
self.assertContains(response, "<p>Isn't it flat!</p>")
|
|
|
|
|
|
|
|
def test_fallback_non_existent_flatpage(self):
|
2014-03-02 22:25:53 +08:00
|
|
|
"A non-existent flatpage raises a 404 when served by the fallback middleware"
|
2010-08-27 21:55:11 +08:00
|
|
|
response = self.client.get('/no_such_flatpage/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 404)
|
2010-08-27 21:55:11 +08:00
|
|
|
|
|
|
|
def test_post_view_flatpage(self):
|
|
|
|
"POSTing to a flatpage served through a view will raise a CSRF error if no token is provided (Refs #14156)"
|
|
|
|
response = self.client.post('/flatpage_root/flatpage/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 403)
|
2010-08-27 21:55:11 +08:00
|
|
|
|
|
|
|
def test_post_fallback_flatpage(self):
|
|
|
|
"POSTing to a flatpage served by the middleware will raise a CSRF error if no token is provided (Refs #14156)"
|
|
|
|
response = self.client.post('/flatpage/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 403)
|
2010-08-27 21:55:11 +08:00
|
|
|
|
|
|
|
def test_post_unknown_page(self):
|
|
|
|
"POSTing to an unknown page isn't caught as a 403 CSRF error"
|
|
|
|
response = self.client.post('/no_such_page/')
|
2011-03-03 23:04:39 +08:00
|
|
|
self.assertEqual(response.status_code, 404)
|