From 01ec6d00853481deeb712a4b0819e1a2c2ed985f Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Tue, 2 Dec 2008 23:00:06 +0000 Subject: [PATCH] More tests for the other half of CsrfMiddleware git-svn-id: http://code.djangoproject.com/svn/django/trunk@9552 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/csrf/tests.py | 56 +++++++++++++++++++++++++++++++----- 1 file changed, 49 insertions(+), 7 deletions(-) diff --git a/django/contrib/csrf/tests.py b/django/contrib/csrf/tests.py index efc21db240..9152ee8d81 100644 --- a/django/contrib/csrf/tests.py +++ b/django/contrib/csrf/tests.py @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- from django.test import TestCase -from django.http import HttpRequest, HttpResponse +from django.http import HttpRequest, HttpResponse, HttpResponseForbidden from django.contrib.csrf.middleware import CsrfMiddleware, _make_token from django.conf import settings @@ -9,14 +9,29 @@ class CsrfMiddlewareTest(TestCase): _session_id = "1" - def _get_no_session_request(self): + def _get_GET_no_session_request(self): return HttpRequest() - def _get_session_request(self): - req = self._get_no_session_request() + def _get_GET_session_request(self): + req = self._get_GET_no_session_request() req.COOKIES[settings.SESSION_COOKIE_NAME] = self._session_id return req + def _get_POST_session_request(self): + req = self._get_GET_session_request() + req.method = "POST" + return req + + def _get_POST_no_session_request(self): + req = self._get_GET_no_session_request() + req.method = "POST" + return req + + def _get_POST_session_request_with_token(self): + req = self._get_POST_session_request() + req.POST['csrfmiddlewaretoken'] = _make_token(self._session_id) + return req + def _get_post_form_response(self): resp = HttpResponse(content="""
@@ -31,11 +46,12 @@ class CsrfMiddlewareTest(TestCase): def _check_token_present(self, response): self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % _make_token(self._session_id)) + # Check the post processing def test_process_response_no_session(self): """ Check the the post-processor does nothing if no session active """ - req = self._get_no_session_request() + req = self._get_GET_no_session_request() resp = self._get_post_form_response() resp_content = resp.content resp2 = CsrfMiddleware().process_response(req, resp) @@ -45,7 +61,7 @@ class CsrfMiddlewareTest(TestCase): """ Check that the token is inserted if there is an existing session """ - req = self._get_session_request() + req = self._get_GET_session_request() resp = self._get_post_form_response() resp_content = resp.content resp2 = CsrfMiddleware().process_response(req, resp) @@ -56,9 +72,35 @@ class CsrfMiddlewareTest(TestCase): """ Check that the token is inserted if there is a new session being started """ - req = self._get_no_session_request() # no session in request + req = self._get_GET_no_session_request() # no session in request resp = self._get_new_session_response() # but new session started resp_content = resp.content resp2 = CsrfMiddleware().process_response(req, resp) self.assertNotEqual(resp_content, resp2.content) self._check_token_present(resp2) + + # Check the request processing + def test_process_request_no_session(self): + """ + Check that if no session is present, the middleware does nothing. + to the incoming request. + """ + req = self._get_POST_no_session_request() + req2 = CsrfMiddleware().process_request(req) + self.assertEquals(None, req2) + + def test_process_request_session_no_token(self): + """ + Check that if a session is present but no token, we get a 'forbidden' + """ + req = self._get_POST_session_request() + req2 = CsrfMiddleware().process_request(req) + self.assertEquals(HttpResponseForbidden, req2.__class__) + + def test_process_request_session_and_token(self): + """ + Check that if a session is present and a token, the middleware lets it through + """ + req = self._get_POST_session_request_with_token() + req2 = CsrfMiddleware().process_request(req) + self.assertEquals(None, req2)