Exemple #1
0
def error_nonce(request, message=''):
  expected_now = util.create_nonce(None, message)
  expected_older = util.create_nonce(None, message, offset=-1)

  given = request.REQUEST.get('_error') 
  if given not in (expected_now, expected_older):
    raise exception.ValidationError('Could not validate nonce')
Exemple #2
0
    def test_bad_nonces(self):
        fake_user = "******"
        action = "some_action"

        future_nonce = util.create_nonce(fake_user, action, offset=10)

        def _future_nonce():
            validate.nonce(test_util.FakeRequest(user=fake_user, post={"_nonce": future_nonce}), action)

        self.assertRaises(exception.ValidationError, _future_nonce)

        def _madeup_nonce():
            validate.nonce(test_util.FakeRequest(user=fake_user, post={"_nonce": "TEST"}), action)

        self.assertRaises(exception.ValidationError, _madeup_nonce)

        notme_nonce = util.create_nonce(fake_user, action, offset=10)

        def _notme_nonce():
            validate.nonce(test_util.FakeRequest(user="******", post={"_nonce": notme_nonce}), action)

        self.assertRaises(exception.ValidationError, _notme_nonce)

        notany_nonce = util.create_nonce(fake_user, action, offset=10)

        def _notany_nonce():
            validate.nonce(test_util.FakeRequest(user=None, post={"_nonce": notany_nonce}), action)

        self.assertRaises(exception.ValidationError, _notany_nonce)
Exemple #3
0
def nonce(request, action=''):
  user = request.user

  expected_now = util.create_nonce(user, action)
  expected_older = util.create_nonce(user, action, offset=-1)

  # TODO(termie): we should probably only accept these in POST in the future
  given = request.REQUEST.get('_nonce') 
  if given not in (expected_now, expected_older):
    raise exception.ValidationError('Could not validate nonce')
Exemple #4
0
    def test_slightly_old_nonces(self):
        fake_user = "******"
        action = "some_action"

        nonce = util.create_nonce(fake_user, action, offset=-1)

        validate.nonce(test_util.FakeRequest(user=fake_user, post={"_nonce": nonce}), action)

        old_nonce = util.create_nonce(fake_user, action, offset=-2)

        def _old_nonce():
            validate.nonce(test_util.FakeRequest(user=fake_user, post={"_nonce": old_nonce}), action)

        self.assertRaises(exception.ValidationError, _old_nonce)
Exemple #5
0
  def test_settings_change_avatar(self):
    nick = 'obligated'
    self.login(nick)

    nick = clean.nick(nick)
    old_avatar = api.actor_get(api.ROOT, nick).extra.get('icon',
                                                         'avatar_default')

    # TODO(teemu): add more tests for different file types (gif and jpg).
    # Alternatively, test those against api.avatar_upload.
    r = self.client.post('/user/obligated/settings/photo',
                         {
                           'avatar': 'default/animal_9',
                           '_nonce' :
                              util.create_nonce('obligated', 'change_photo'),
                         })
    r = self.assertRedirectsPrefix(r, '/user/obligated/settings/photo')

    new_avatar = api.actor_get(api.ROOT, nick).extra.get('icon',
                                                         'avatar_default')
    self.assertNotEquals(old_avatar, new_avatar)

    self.assertContains(r, 'Avatar changed')
    self.assertTemplateUsed(r, 'settings_photo.html')
    self.assertTemplateUsed(r, 'flash.html')
Exemple #6
0
  def test_post_and_delete_comment_logged_in(self):
    self.login('popular')

    # Is there a better way to get the correct url?
    comment = 'This is the comment'
    r = self.client.post('/channel/popular/presence/13345',
                         {'stream': 'stream/#[email protected]/presence',
                          'entry': 'stream/#[email protected]/presence/13345',
                          'nick': '*****@*****.**',
                          'entry_add_comment' : '',
                          'content' : comment,
                          '_nonce' : 
                              util.create_nonce('popular', 'entry_add_comment'),
                          }
                         )

    self.exhaust_queue_any()
    
    r = self.assertRedirectsPrefix(r, '/channel/popular/presence/13345?flash')
    self.assertContains(r, comment)
    self.assertContains(r, 'Comment added')
    
    # Now delete what we just added
    r = self.assertGetLink(r, 'confirm-delete', link_no=1, of_count=2)
    r = self.assertRedirectsPrefix(r, '/channel/popular/presence/13345?flash')
    self.assertContains(r, 'Comment deleted')
Exemple #7
0
def flash(request):
  if 'flash' not in request.REQUEST:
    return {}
  
  flash = request.REQUEST['flash']
  nonce = util.create_nonce(None, flash)
  if nonce != request.REQUEST.get('_flash', ''):
    return {}
  return {'flash': flash}
Exemple #8
0
 def set_presence(self, user, location):
   params = {
     'nick': '*****@*****.**' % user,
     'presence_set': '',
     'location' : location,
     '_nonce': util.create_nonce('*****@*****.**' % user, 
                                 'presence_set')
   }
   return self.client.post('/user/popular', params)
Exemple #9
0
  def build_url(self, request):
    # TODO(termie) rearrange these in the future to prevent circular imports
    from jaikucommon import util
    redirect_url = self.build_redirect(request)
  
    nonce = util.create_nonce(request.user, self.message + redirect_url)

    return util.qsa(self.base_url, {'message': self.message, 
                                    '_nonce': nonce, 
                                    'redirect_to': redirect_url})
Exemple #10
0
    def test_good_nonces(self):
        fake_user = "******"
        action = "some_action"

        nonce = util.create_nonce(fake_user, action)
        params = {"_nonce": nonce}

        validate.nonce(test_util.FakeRequest(user=fake_user, post=params), action)

        validate.nonce(test_util.FakeRequest(user=fake_user, get=params), action)
Exemple #11
0
 def test_email_notfound(self):
   r = self.client.post('/login/forgot', 
                        {
                          '_nonce': util.create_nonce(None, 'login_forgot'),
                          'login_forgot' : '',
                          'nick_or_email' : '*****@*****.**',
                        })
     
   self.assertTemplateUsed(r, 'forgot.html')
   self.assertContains(r, 'does not match any accounts')
Exemple #12
0
 def test_nick_no_email(self):
   r = self.client.post('/login/forgot', 
                        {
                          '_nonce': util.create_nonce(None, 'login_forgot'),
                          'login_forgot' : '',
                          'nick_or_email' : 'annoying',
                        })
     
   self.assertTemplateUsed(r, 'forgot.html')
   self.assertContains(r, 'does not have an email')
Exemple #13
0
 def test_unknown_nick(self):
   r = self.client.post('/login/forgot', 
                        {
                          '_nonce': util.create_nonce(None, 'login_forgot'),
                          'login_forgot' : '',
                          'nick_or_email' : 'idontexist',
                        })
     
   self.assertTemplateUsed(r, 'forgot.html')
   self.assertContains(r, 'not found')
Exemple #14
0
 def test_confirm(self):
   nonce = util.create_nonce('popular', 'entry_remove')
   entry = 'stream/popular%40example.com/presence/12345'
   path = '/user/popular/overview'
   r = self.login_and_get('popular', path, {'entry_remove': entry,
                                            '_nonce': nonce})
   
   r = self.assertRedirectsPrefix(r, '/confirm')
   self.assertContains(r, nonce)
   self.assertContains(r, entry)
   self.assertContains(r, path)
Exemple #15
0
 def test_settings_delete(self):
   r = self.login_and_get(
       'popular', 
       '/user/popular/settings/delete',
       {
         '_nonce' : util.create_nonce('popular', 'actor_remove'),
         'actor_remove' : '',
         'nick' : 'popular',
       },
   )
   r = self.assertRedirectsPrefix(r, '/logout')
Exemple #16
0
  def test_email_notification(self):
    # new follower

    r = self.login('hermit')
    params = {'actor_add_contact': '',
              'owner': '*****@*****.**',
              'target': '*****@*****.**',
              '_nonce': util.create_nonce('*****@*****.**', 
                                          'actor_add_contact')
              }
    r = self.client.post('/user/popular', params)
    
    self.assertEqual(len(mail.outbox), 1, 'new follower')
    
    email = mail.outbox[0]
    # test that the link is valid
    url = test_util.get_relative_url(email.body)

    r = self.client.get(url)
    self.assertTemplateUsed(r, 'history.html')
    
    mail.outbox = []
    
    # new follower mutual
    r = self.login('popular')
    params = {'actor_add_contact': '',
              'owner': '*****@*****.**',
              'target': '*****@*****.**',
              '_nonce': util.create_nonce('*****@*****.**', 
                                          'actor_add_contact')
              }
    r = self.client.post('/user/unpopular', params)
    
    self.assertEqual(len(mail.outbox), 1, 'new follower mutual')
    
    email = mail.outbox[0]

    # test that the link is valid
    url = test_util.get_relative_url(email.body)
    r = self.client.get(url)
    self.assertTemplateUsed(r, 'history.html')
Exemple #17
0
 def test_settings_delete_channel(self):
   self.login('popular')
   r = self.client.post('/channel/popular/settings/delete',
                        {
                          'actor_remove' : '',
                          'nick' : '#[email protected]',
                          '_nonce' : 
                             util.create_nonce('popular', 'actor_remove'),
                        })
   r = self.assertRedirectsPrefix(r, '/channel')
   self.assertContains(r, 'Deleted')
   self.assertWellformed(r)
Exemple #18
0
 def test_leave_channel_not_member(self):
   self.login('annoying')
   r = self.client.post('/channel/popular',
                        {'nick': '*****@*****.**',
                         'channel_part': '',
                         'channel' : '#[email protected]',
                          '_nonce' : 
                              util.create_nonce('annoying', 'channel_part'),
                         }
                        )
   self.assertContains(r, 'not a member')
   self.assertWellformed(r)
Exemple #19
0
  def test_delete_channel_as_member(self):
    self.login('unpopular')

    r = self.client.post('/channel/popular/settings/delete',
                         {'nick': '#[email protected]',
                          'actor_remove': '',
                          '_nonce' : 
                              util.create_nonce('unpopular', 'actor_remove'),
                          }
                         )
    self.assertContains(r, 'not allowed')
    self.assertWellformed(r)
Exemple #20
0
 def test_join_channel_already_member(self):
   self.login('popular')  # pick a user that is a member
   r = self.client.post('/channel/popular',
                        {'nick': '*****@*****.**',
                         'channel_join': '',
                         'channel' : '#[email protected]',
                         '_nonce' : 
                             util.create_nonce('popular', 'channel_join'),
                         }
                        )    
   self.assertContains(r, 'already a member')
   self.assertWellformed(r)
Exemple #21
0
 def test_create_new_channel_short(self):
   self.login('popular')
   r = self.client.post('/channel/create',
                        {'nick': '*****@*****.**',
                         'channel': '2',
                         'channel_create': '',
                         '_nonce' : 
                             util.create_nonce('popular', 'channel_create'),
                         }
                        )
   self.assertContains(r, 'Invalid channel')
   self.assertWellformed(r)
Exemple #22
0
 def test_first_post_to_create_channel(self):
   self.login('popular')
   r = self.client.post('/channel/fastfingers',
                        {'channel': '#[email protected]',
                         'message': 'First post!',
                         '_nonce': 
                             util.create_nonce('popular', 'set_presence'),
                         }
                        )
   r = self.assertRedirectsPrefix(r, '/channel/create')
   self.assertTemplateUsed(r, 'create.html')
   self.assertWellformed(r)
Exemple #23
0
  def test_email_unconfirmed(self):
    r = self.client.post('/login/forgot', 
                         {
                           '_nonce': util.create_nonce(None, 'login_forgot'),
                           'login_forgot' : '',
                           'nick_or_email' : '*****@*****.**',
                         })

    r = self.assertRedirectsPrefix(r, '/login/forgot')
    self.assertTemplateUsed(r, 'forgot.html')
    self.assertContains(r, 'New Password Emailed')
    self.assertTemplateUsed(r, 'flash.html')
Exemple #24
0
  def test_login_forgot_nick_popular(self):
    r = self.client.post('/login/forgot', 
                         {
                           '_nonce': util.create_nonce(None, 'login_forgot'),
                           'login_forgot' : '',
                           'nick_or_email' : 'popular',
                         })

    r = self.assertRedirectsPrefix(r, '/login/forgot')
    self.assertTemplateUsed(r, 'forgot.html')
    self.assertContains(r, 'New Password Emailed')
    self.assertTemplateUsed(r, 'flash.html')
Exemple #25
0
 def test_join_channel(self):
   self.login('annoying')  # pick a user that is NOT a member
   r = self.client.post('/channel/popular',
                        {'nick': '*****@*****.**',
                         'channel_join': '',
                         'channel' : '#[email protected]',
                         '_nonce' : 
                             util.create_nonce('annoying', 'channel_join'),
                         }
                        )
   r = self.assertRedirectsPrefix(r, '/channel/popular')
   self.assertContains(r, 'You have joined')
   self.assertWellformed(r)
Exemple #26
0
def noncached_avatar(value, args):
  parts = args.split(",")
  size = parts[0]
  dimensions = api.AVATAR_IMAGE_SIZES[size]
  tag_id = ""
  if len(parts) > 1:
    tag_id = 'id="%s"' % (parts[1])

  path = avatar_url(value, size)
  nonce = create_nonce(value, "avatar_preview")
  nick = value.display_nick()
  return '<img src="%s?%s" class="photo" alt="%s" width="%s" height="%s" %s/>' % (
      path, nonce, nick, dimensions[0], dimensions[1], tag_id)
Exemple #27
0
 def test_post_message_in_personal_history(self):
   self.login('popular')
   msg = 'a post from unit test'
   r = self.client.post('/user/popular',
                        {'message': msg,
                         '_nonce': util.create_nonce('popular', 'post'),
                         'nick': '*****@*****.**',
                         'post': '',
                          })
   r = self.assertRedirectsPrefix(r, '/user/popular')
   self.assertContains(r, msg)
   self.assertContains(r, 'a moment ago')
   self.assertTemplateUsed(r, 'history.html')
Exemple #28
0
 def test_create_new_channel_with_trailing_whitespace(self):
   self.login('popular')
   r = self.client.post('/channel/create',
                        {'nick': '*****@*****.**',
                         'channel': 'whitespace ',
                         'channel_create': '',
                         '_nonce' : 
                             util.create_nonce('popular', 'channel_create'),
                         }
                        )
   r = self.assertRedirectsPrefix(r, '/channel/whitespace')
   self.assertContains(r, 'Channel created')
   self.assertWellformed(r)
Exemple #29
0
  def test_revoke_access_token(self):
    r = self.login('popular')
    r = self.client.get('/api/tokens', {
      '_nonce': util.create_nonce('popular', 'oauth_revoke_access_token'),
      'oauth_revoke_access_token': '',
      'key': 'POPULARDESKTOPACCESSTOKEN',
      'confirm' : 1,
    })

    r = self.assertRedirectsPrefix(r, '/api/tokens')
    self.assertTemplateUsed(r, 'tokens.html')
    self.assertContains(r, 'token revoked')
    self.assertNotContains(r, 'POPULARDESKTOPACCESSTOKEN')
    self.assertWellformed(r)
Exemple #30
0
 def render(self, context):
   user = self.var_user.resolve(context)
   view = self.var_view.resolve(context)
   actor = self.var_actor.resolve(context)
   if self.pred(user, view, actor):
     content = escape(self.content % actor.display_nick())
     return (('<a href="?%s=&amp;target=%s&amp;_nonce=%s' +
              '&amp;owner=%s" class="%s">%s</a>') % (
                  self.api_call, urllib.quote(actor.nick),
                  create_nonce(user, self.api_call),
                  escape(view.nick), self.link_class,
                  content))
   else:
     return ''