def test_login_next_parameter(self):
'''Test with a valid ?next=url parameter.'''
next = '/kb/new'
# Verify that next parameter is set in form hidden field.
response = self.client.get(urlparams(reverse('users.login'),
next=next))
eq_(200, response.status_code)
doc = pq(response.content)
eq_(next, doc('input[name="next"]')[0].attrib['value'])
# Verify that it gets used on form POST.
response = self.client.post(reverse('users.login'),
{'username': '******',
'password': '******',
'next': next})
eq_(302, response.status_code)
eq_('http://testserver' + next, response['location'])
def test_login_invalid_next_parameter(self, get_current):
'''Test with an invalid ?next=http://example.com parameter.'''
get_current.return_value.domain = 'testserver.com'
invalid_next = 'http://foobar.com/evil/'
valid_next = settings.LOGIN_REDIRECT_URL
# Verify that _valid_ next parameter is set in form hidden field.
response = self.client.get(urlparams(reverse('users.login'),
next=invalid_next))
eq_(200, response.status_code)
doc = pq(response.content)
eq_(valid_next, doc('input[name="next"]')[0].attrib['value'])
# Verify that it gets used on form POST.
response = self.client.post(reverse('users.login'),
{'username': '******',
'password': '******',
'next': invalid_next})
eq_(302, response.status_code)
eq_('http://testserver' + valid_next, response['location'])
