More tests for the other half of CsrfMiddleware
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9552 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant
parent
f7242bb778
commit
01ec6d0085
|
|
@ -1,7 +1,7 @@
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
|
|
||||||
from django.test import TestCase
|
from django.test import TestCase
|
||||||
from django.http import HttpRequest, HttpResponse
|
from django.http import HttpRequest, HttpResponse, HttpResponseForbidden
|
||||||
from django.contrib.csrf.middleware import CsrfMiddleware, _make_token
|
from django.contrib.csrf.middleware import CsrfMiddleware, _make_token
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
|
|
||||||
|
|
@ -9,14 +9,29 @@ class CsrfMiddlewareTest(TestCase):
|
||||||
|
|
||||||
_session_id = "1"
|
_session_id = "1"
|
||||||
|
|
||||||
def _get_no_session_request(self):
|
def _get_GET_no_session_request(self):
|
||||||
return HttpRequest()
|
return HttpRequest()
|
||||||
|
|
||||||
def _get_session_request(self):
|
def _get_GET_session_request(self):
|
||||||
req = self._get_no_session_request()
|
req = self._get_GET_no_session_request()
|
||||||
req.COOKIES[settings.SESSION_COOKIE_NAME] = self._session_id
|
req.COOKIES[settings.SESSION_COOKIE_NAME] = self._session_id
|
||||||
return req
|
return req
|
||||||
|
|
||||||
|
def _get_POST_session_request(self):
|
||||||
|
req = self._get_GET_session_request()
|
||||||
|
req.method = "POST"
|
||||||
|
return req
|
||||||
|
|
||||||
|
def _get_POST_no_session_request(self):
|
||||||
|
req = self._get_GET_no_session_request()
|
||||||
|
req.method = "POST"
|
||||||
|
return req
|
||||||
|
|
||||||
|
def _get_POST_session_request_with_token(self):
|
||||||
|
req = self._get_POST_session_request()
|
||||||
|
req.POST['csrfmiddlewaretoken'] = _make_token(self._session_id)
|
||||||
|
return req
|
||||||
|
|
||||||
def _get_post_form_response(self):
|
def _get_post_form_response(self):
|
||||||
resp = HttpResponse(content="""
|
resp = HttpResponse(content="""
|
||||||
<html><body><form method="POST"><input type="text" /></form></body></html>
|
<html><body><form method="POST"><input type="text" /></form></body></html>
|
||||||
|
|
@ -31,11 +46,12 @@ class CsrfMiddlewareTest(TestCase):
|
||||||
def _check_token_present(self, response):
|
def _check_token_present(self, response):
|
||||||
self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % _make_token(self._session_id))
|
self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % _make_token(self._session_id))
|
||||||
|
|
||||||
|
# Check the post processing
|
||||||
def test_process_response_no_session(self):
|
def test_process_response_no_session(self):
|
||||||
"""
|
"""
|
||||||
Check the the post-processor does nothing if no session active
|
Check the the post-processor does nothing if no session active
|
||||||
"""
|
"""
|
||||||
req = self._get_no_session_request()
|
req = self._get_GET_no_session_request()
|
||||||
resp = self._get_post_form_response()
|
resp = self._get_post_form_response()
|
||||||
resp_content = resp.content
|
resp_content = resp.content
|
||||||
resp2 = CsrfMiddleware().process_response(req, resp)
|
resp2 = CsrfMiddleware().process_response(req, resp)
|
||||||
|
|
@ -45,7 +61,7 @@ class CsrfMiddlewareTest(TestCase):
|
||||||
"""
|
"""
|
||||||
Check that the token is inserted if there is an existing session
|
Check that the token is inserted if there is an existing session
|
||||||
"""
|
"""
|
||||||
req = self._get_session_request()
|
req = self._get_GET_session_request()
|
||||||
resp = self._get_post_form_response()
|
resp = self._get_post_form_response()
|
||||||
resp_content = resp.content
|
resp_content = resp.content
|
||||||
resp2 = CsrfMiddleware().process_response(req, resp)
|
resp2 = CsrfMiddleware().process_response(req, resp)
|
||||||
|
|
@ -56,9 +72,35 @@ class CsrfMiddlewareTest(TestCase):
|
||||||
"""
|
"""
|
||||||
Check that the token is inserted if there is a new session being started
|
Check that the token is inserted if there is a new session being started
|
||||||
"""
|
"""
|
||||||
req = self._get_no_session_request() # no session in request
|
req = self._get_GET_no_session_request() # no session in request
|
||||||
resp = self._get_new_session_response() # but new session started
|
resp = self._get_new_session_response() # but new session started
|
||||||
resp_content = resp.content
|
resp_content = resp.content
|
||||||
resp2 = CsrfMiddleware().process_response(req, resp)
|
resp2 = CsrfMiddleware().process_response(req, resp)
|
||||||
self.assertNotEqual(resp_content, resp2.content)
|
self.assertNotEqual(resp_content, resp2.content)
|
||||||
self._check_token_present(resp2)
|
self._check_token_present(resp2)
|
||||||
|
|
||||||
|
# Check the request processing
|
||||||
|
def test_process_request_no_session(self):
|
||||||
|
"""
|
||||||
|
Check that if no session is present, the middleware does nothing.
|
||||||
|
to the incoming request.
|
||||||
|
"""
|
||||||
|
req = self._get_POST_no_session_request()
|
||||||
|
req2 = CsrfMiddleware().process_request(req)
|
||||||
|
self.assertEquals(None, req2)
|
||||||
|
|
||||||
|
def test_process_request_session_no_token(self):
|
||||||
|
"""
|
||||||
|
Check that if a session is present but no token, we get a 'forbidden'
|
||||||
|
"""
|
||||||
|
req = self._get_POST_session_request()
|
||||||
|
req2 = CsrfMiddleware().process_request(req)
|
||||||
|
self.assertEquals(HttpResponseForbidden, req2.__class__)
|
||||||
|
|
||||||
|
def test_process_request_session_and_token(self):
|
||||||
|
"""
|
||||||
|
Check that if a session is present and a token, the middleware lets it through
|
||||||
|
"""
|
||||||
|
req = self._get_POST_session_request_with_token()
|
||||||
|
req2 = CsrfMiddleware().process_request(req)
|
||||||
|
self.assertEquals(None, req2)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue