def grant_elevated_privileges(self, request, redirect_to):
grant_elevated_privileges(request)
# Restore the redirect destination from the GET request
redirect_to = request.session.pop(REDIRECT_TO_FIELD_NAME, redirect_to)
# Double check we're not redirecting to other sites
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = resolve_url(REDIRECT_URL)
return HttpResponseRedirect(redirect_to)
def test_process_response_elevate_revoked_without_cookie(self):
self.login()
self.middleware.process_request(self.request)
grant_elevated_privileges(self.request)
revoke_elevated_privileges(self.request)
response = self.middleware.process_response(self.request,
HttpResponse())
morsels = list(response.cookies.items())
self.assertEqual(len(morsels), 0)
def test_process_response_sets_secure_cookie(self):
self.login()
self.request.is_secure = lambda: True
self.middleware.process_request(self.request)
grant_elevated_privileges(self.request)
response = self.middleware.process_response(self.request,
HttpResponse())
morsels = list(response.cookies.items())
self.assertEqual(len(morsels), 1)
self.assertEqual(morsels[0][0], COOKIE_NAME)
_, elevate = morsels[0]
self.assertTrue(self.request.is_secure())
self.assertTrue(elevate['secure'])
def test_process_response_elevate_revoked_removes_cookie(self):
self.login()
self.middleware.process_request(self.request)
grant_elevated_privileges(self.request)
self.request.COOKIES[COOKIE_NAME] = self.request._elevate_token
revoke_elevated_privileges(self.request)
response = self.middleware.process_response(self.request,
HttpResponse())
morsels = list(response.cookies.items())
self.assertEqual(len(morsels), 1)
self.assertEqual(morsels[0][0], COOKIE_NAME)
_, elevate = morsels[0]
# Deleting a cookie is just setting it's value to empty
# and telling it to expire
self.assertEqual(elevate.key, COOKIE_NAME)
self.assertFalse(elevate.value)
self.assertEqual(elevate['max-age'], 0)
def test_process_response_with_elevate_sets_cookie(self):
self.login()
self.middleware.process_request(self.request)
grant_elevated_privileges(self.request)
response = self.middleware.process_response(self.request,
HttpResponse())
morsels = list(response.cookies.items())
self.assertEqual(len(morsels), 1)
self.assertEqual(morsels[0][0], COOKIE_NAME)
_, elevate = morsels[0]
self.assertEqual(elevate.key, COOKIE_NAME)
self.assertSignedCookieEqual(elevate.value,
self.request._elevate_token)
self.assertEqual(elevate['max-age'], self.request._elevate_max_age)
self.assertTrue(elevate['httponly'])
# Asserting that these are insecure together explicitly
# since it's a big deal to not f**k up
self.assertFalse(self.request.is_secure())
self.assertFalse(elevate['secure']) # insecure request
def grant(sender, request, **kwargs):
"""
Automatically grant elevated privileges when logging in.
"""
grant_elevated_privileges(request)
def test_revoked(self):
self.login()
grant_elevated_privileges(self.request)
revoke_elevated_privileges(self.request)
self.assertFalse(has_elevated_privileges(self.request))
def test_granted(self):
self.login()
grant_elevated_privileges(self.request)
self.assertTrue(has_elevated_privileges(self.request))
def test_revoke_elevated_privileges(self):
self.login()
grant_elevated_privileges(self.request)
revoke_elevated_privileges(self.request)
self.assertRequestNotElevated(self.request)
def test_without_user(self):
delattr(self.request, 'user')
token = grant_elevated_privileges(self.request)
self.assertIsNone(token)
def test_grant_token_explicit_max_age(self):
self.login()
token = grant_elevated_privileges(self.request, 60)
self.assertIsNotNone(token)
self.assertRequestHasToken(self.request, 60)
def test_grant_token_default_max_age(self):
self.login()
token = grant_elevated_privileges(self.request)
self.assertIsNotNone(token)
self.assertRequestHasToken(self.request, COOKIE_AGE)
def test_grant_token_not_logged_in(self):
with self.assertRaises(ValueError):
grant_elevated_privileges(self.request)
def test_user_logged_out(self):
self.login()
grant_elevated_privileges(self.request)
self.assertTrue(has_elevated_privileges(self.request))
user_logged_out.send_robust(sender=User, request=self.request)
self.assertFalse(has_elevated_privileges(self.request))
