def grant_elevated_privileges(self, request, redirect_to): grant_elevated_privileges(request) # Restore the redirect destination from the GET request redirect_to = request.session.pop(REDIRECT_TO_FIELD_NAME, redirect_to) # Double check we're not redirecting to other sites if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = resolve_url(REDIRECT_URL) return HttpResponseRedirect(redirect_to)
def test_process_response_elevate_revoked_without_cookie(self): self.login() self.middleware.process_request(self.request) grant_elevated_privileges(self.request) revoke_elevated_privileges(self.request) response = self.middleware.process_response(self.request, HttpResponse()) morsels = list(response.cookies.items()) self.assertEqual(len(morsels), 0)
def test_process_response_sets_secure_cookie(self): self.login() self.request.is_secure = lambda: True self.middleware.process_request(self.request) grant_elevated_privileges(self.request) response = self.middleware.process_response(self.request, HttpResponse()) morsels = list(response.cookies.items()) self.assertEqual(len(morsels), 1) self.assertEqual(morsels[0][0], COOKIE_NAME) _, elevate = morsels[0] self.assertTrue(self.request.is_secure()) self.assertTrue(elevate['secure'])
def test_process_response_elevate_revoked_removes_cookie(self): self.login() self.middleware.process_request(self.request) grant_elevated_privileges(self.request) self.request.COOKIES[COOKIE_NAME] = self.request._elevate_token revoke_elevated_privileges(self.request) response = self.middleware.process_response(self.request, HttpResponse()) morsels = list(response.cookies.items()) self.assertEqual(len(morsels), 1) self.assertEqual(morsels[0][0], COOKIE_NAME) _, elevate = morsels[0] # Deleting a cookie is just setting it's value to empty # and telling it to expire self.assertEqual(elevate.key, COOKIE_NAME) self.assertFalse(elevate.value) self.assertEqual(elevate['max-age'], 0)
def test_process_response_with_elevate_sets_cookie(self): self.login() self.middleware.process_request(self.request) grant_elevated_privileges(self.request) response = self.middleware.process_response(self.request, HttpResponse()) morsels = list(response.cookies.items()) self.assertEqual(len(morsels), 1) self.assertEqual(morsels[0][0], COOKIE_NAME) _, elevate = morsels[0] self.assertEqual(elevate.key, COOKIE_NAME) self.assertSignedCookieEqual(elevate.value, self.request._elevate_token) self.assertEqual(elevate['max-age'], self.request._elevate_max_age) self.assertTrue(elevate['httponly']) # Asserting that these are insecure together explicitly # since it's a big deal to not f**k up self.assertFalse(self.request.is_secure()) self.assertFalse(elevate['secure']) # insecure request
def grant(sender, request, **kwargs): """ Automatically grant elevated privileges when logging in. """ grant_elevated_privileges(request)
def test_revoked(self): self.login() grant_elevated_privileges(self.request) revoke_elevated_privileges(self.request) self.assertFalse(has_elevated_privileges(self.request))
def test_granted(self): self.login() grant_elevated_privileges(self.request) self.assertTrue(has_elevated_privileges(self.request))
def test_revoke_elevated_privileges(self): self.login() grant_elevated_privileges(self.request) revoke_elevated_privileges(self.request) self.assertRequestNotElevated(self.request)
def test_without_user(self): delattr(self.request, 'user') token = grant_elevated_privileges(self.request) self.assertIsNone(token)
def test_grant_token_explicit_max_age(self): self.login() token = grant_elevated_privileges(self.request, 60) self.assertIsNotNone(token) self.assertRequestHasToken(self.request, 60)
def test_grant_token_default_max_age(self): self.login() token = grant_elevated_privileges(self.request) self.assertIsNotNone(token) self.assertRequestHasToken(self.request, COOKIE_AGE)
def test_grant_token_not_logged_in(self): with self.assertRaises(ValueError): grant_elevated_privileges(self.request)
def test_user_logged_out(self): self.login() grant_elevated_privileges(self.request) self.assertTrue(has_elevated_privileges(self.request)) user_logged_out.send_robust(sender=User, request=self.request) self.assertFalse(has_elevated_privileges(self.request))