test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
django/tests/auth_tests/test_middleware.py

54 lines
2.2 KiB
Python
Raw Normal View History

Refs #27468 -- Made user sessions use SHA-256 algorithm.
2020-04-29 22:45:00 +08:00
from django.contrib.auth import HASH_SESSION_KEY
Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review.
2014-12-03 20:33:44 +08:00
from django.contrib.auth.middleware import AuthenticationMiddleware
Fixed #21649 -- Added optional invalidation of sessions when user password changes. Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews.
2014-04-01 08:16:09 +08:00
from django.contrib.auth.models import User
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2019-09-27 01:06:35 +08:00
from django.http import HttpRequest, HttpResponse
Fixed #21649 -- Added optional invalidation of sessions when user password changes. Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews.
2014-04-01 08:16:09 +08:00
from django.test import TestCase
Refs #23957 -- Required session verification per deprecation timeline.
2015-09-03 08:50:34 +08:00
class TestAuthenticationMiddleware(TestCase):
Refs #31395 -- Relied on setUpTestData() test data isolation in various tests.
2018-11-24 10:24:25 +08:00
@classmethod
def setUpTestData(cls):
cls.user = User.objects.create_user('test_user', 'test@example.com', 'test_password')
Fixed #21649 -- Added optional invalidation of sessions when user password changes. Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews.
2014-04-01 08:16:09 +08:00
def setUp(self):
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2019-09-27 01:06:35 +08:00
self.middleware = AuthenticationMiddleware(lambda req: HttpResponse())
Refs #23957 -- Required session verification per deprecation timeline.
2015-09-03 08:50:34 +08:00
self.client.force_login(self.user)
Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review.
2014-12-03 20:33:44 +08:00
self.request = HttpRequest()
self.request.session = self.client.session
Refs #23957 -- Required session verification per deprecation timeline.
2015-09-03 08:50:34 +08:00
def test_no_password_change_doesnt_invalidate_session(self):
self.request.session = self.client.session
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2019-09-27 01:06:35 +08:00
self.middleware(self.request)
Refs #27468 -- Made user sessions use SHA-256 algorithm.
2020-04-29 22:45:00 +08:00
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous)
def test_no_password_change_does_not_invalidate_legacy_session(self):
# RemovedInDjango40Warning: pre-Django 3.1 hashes will be invalid.
session = self.client.session
session[HASH_SESSION_KEY] = self.user._legacy_get_session_auth_hash()
session.save()
self.request.session = session
self.middleware(self.request)
Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review.
2014-12-03 20:33:44 +08:00
self.assertIsNotNone(self.request.user)
Fixed #25847 -- Made User.is_(anonymous|authenticated) properties.
2016-04-02 19:18:26 +08:00
self.assertFalse(self.request.user.is_anonymous)
Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review.
2014-12-03 20:33:44 +08:00
Refs #23957 -- Required session verification per deprecation timeline.
2015-09-03 08:50:34 +08:00
def test_changed_password_invalidates_session(self):
# After password change, user should be anonymous
Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review.
2014-12-03 20:33:44 +08:00
self.user.set_password('new_password')
self.user.save()
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2019-09-27 01:06:35 +08:00
self.middleware(self.request)
Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review.
2014-12-03 20:33:44 +08:00
self.assertIsNotNone(self.request.user)
Fixed #25847 -- Made User.is_(anonymous|authenticated) properties.
2016-04-02 19:18:26 +08:00
self.assertTrue(self.request.user.is_anonymous)
Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review.
2014-12-03 20:33:44 +08:00
# session should be flushed
self.assertIsNone(self.request.session.session_key)
Added tests for middlewares' checks.
2019-10-23 14:04:14 +08:00
def test_no_session(self):
msg = (
"The Django authentication middleware requires session middleware "
"to be installed. Edit your MIDDLEWARE setting to insert "
"'django.contrib.sessions.middleware.SessionMiddleware' before "
"'django.contrib.auth.middleware.AuthenticationMiddleware'."
)
with self.assertRaisesMessage(AssertionError, msg):
self.middleware(HttpRequest())