Esempio n. 1
0
def get_or_create_form(email, host):
    '''
    Gets the form if it already exits, otherwise checks to ensure
    that this is a valid new form submission. If so, creates a
    new form.
    '''

    form = Form.query.filter_by(hash=HASH(email, host)).first()

    if not form:

        if request_wants_json():
            # Can't create a new ajax form unless from the dashboard
            ajax_error_str = "To prevent spam, only " + \
                                settings.UPGRADED_PLAN_NAME + \
                                " accounts may create AJAX forms."
            raise SubmitFormError(jsonerror(400, {'error': ajax_error_str}))

        if url_domain(settings.SERVICE_URL) in host:
            # Bad user is trying to submit a form spoofing formspree.io
            g.log.info(
                'User attempting to create new form spoofing SERVICE_URL. Ignoring.'
            )
            raise SubmitFormError(
                (render_template('error.html',
                                 title='Unable to submit form',
                                 text='Sorry'), 400))

        # all good, create form
        form = Form(email, host)

    # Check if it has been assigned using AJAX or not
    assign_ajax(form, request_wants_json())

    if form.disabled:
        raise SubmitFormError(errors.disabled_error())

    return form
Esempio n. 2
0
    def test_form_creation(self):
        # register user
        r = self.client.post('/register',
                             data={
                                 'email': '*****@*****.**',
                                 'password': '******'
                             })
        self.assertEqual(r.status_code, 302)
        self.assertEqual(r.location.endswith('/dashboard'), True)
        self.assertEqual(1, User.query.count())

        # fail to create form
        r = self.client.post('/forms',
                             headers={'Content-type': 'application/json'},
                             data={'email': '*****@*****.**'})
        self.assertEqual(r.status_code, 402)
        self.assertIn('error', json.loads(r.data))
        self.assertEqual(0, Form.query.count())

        # upgrade user manually
        user = User.query.filter_by(email='*****@*****.**').first()
        user.upgraded = True
        DB.session.add(user)
        DB.session.commit()

        # successfully create form
        r = self.client.post('/forms',
                             headers={
                                 'Accept': 'application/json',
                                 'Content-type': 'application/json'
                             },
                             data=json.dumps({'email': '*****@*****.**'}))
        resp = json.loads(r.data)
        self.assertEqual(r.status_code, 200)
        self.assertIn('submission_url', resp)
        self.assertIn('random_like_string', resp)
        form_endpoint = resp['random_like_string']
        self.assertIn(resp['random_like_string'], resp['submission_url'])
        self.assertEqual(1, Form.query.count())
        self.assertEqual(
            Form.query.first().id,
            Form.get_form_by_random_like_string(resp['random_like_string']).id)

        # post to form
        httpretty.register_uri(httpretty.POST,
                               'https://api.sendgrid.com/api/mail.send.json')

        r = self.client.post('/' + form_endpoint,
                             headers={'Referer': 'formspree.io'},
                             data={'name': 'bruce'})
        self.assertIn("We've sent a link to your email", r.data)
        self.assertIn('confirm+your+email', httpretty.last_request().body)
        self.assertEqual(1, Form.query.count())

        # confirm form
        form = Form.query.first()
        self.client.get(
            '/confirm/%s:%s' %
            (HASH(form.email, str(form.id)), form.get_random_like_string()))
        self.assertTrue(Form.query.first().confirmed)

        # send 5 forms (monthly limits should not apply to the upgraded user)
        self.assertEqual(settings.MONTHLY_SUBMISSIONS_LIMIT, 2)
        for i in range(5):
            r = self.client.post('/' + form_endpoint,
                                 headers={'Referer': 'formspree.io'},
                                 data={
                                     'name': 'ana',
                                     'submission': '__%s__' % i
                                 })
        form = Form.query.first()
        self.assertEqual(form.counter, 5)
        self.assertEqual(form.get_monthly_counter(), 5)
        self.assertIn('ana', httpretty.last_request().body)
        self.assertIn('__4__', httpretty.last_request().body)
        self.assertNotIn('You+are+past+our+limit',
                         httpretty.last_request().body)

        # try (and fail) to submit from a different host
        r = self.client.post('/' + form_endpoint,
                             headers={'Referer': 'bad.com'},
                             data={'name': 'usurper'})
        self.assertEqual(r.status_code, 403)
        self.assertIn(
            'ana',
            httpretty.last_request().body)  # no more data is sent to sendgrid
        self.assertIn('__4__', httpretty.last_request().body)
Esempio n. 3
0
def test_form_and_submission_deletion(client, msend):
    # create and login a user
    r = client.post('/register',
                    data={
                        'email': '*****@*****.**',
                        'password': '******'
                    })
    assert r.status_code == 302
    assert 1 == User.query.count()

    # upgrade user
    user = User.query.filter_by(email='*****@*****.**').first()
    user.upgraded = True
    DB.session.add(user)
    DB.session.commit()

    # successfully create form
    r = client.post(
        "/api-int/forms",
        headers={
            "Accept": "application/json",
            "Content-type": "application/json",
            "Referer": settings.SERVICE_URL,
        },
        data=json.dumps({"email": "*****@*****.**"}),
    )
    resp = json.loads(r.data.decode('utf-8'))
    assert r.status_code == 200
    assert 'submission_url' in resp
    assert 'hashid' in resp
    form_endpoint = resp['hashid']
    assert resp['hashid'] in resp['submission_url']
    assert 1 == Form.query.count()
    assert Form.query.first().id == Form.get_with_hashid(resp['hashid']).id

    # post to form
    r = client.post('/' + form_endpoint,
                    headers={'Referer': 'formspree.io'},
                    data={'name': 'bruce'})

    # confirm form
    form = Form.query.first()
    client.get('/confirm/%s:%s' %
               (HASH(form.email, str(form.id)), form.hashid))
    assert Form.query.first().confirmed
    assert 0 == Submission.query.count()

    # increase the submission limit
    old_submission_limit = settings.ARCHIVED_SUBMISSIONS_LIMIT
    settings.ARCHIVED_SUBMISSIONS_LIMIT = 10
    # make 5 submissions
    for i in range(5):
        r = client.post('/' + form_endpoint,
                        headers={'Referer': 'formspree.io'},
                        data={
                            'name': 'ana',
                            'submission': '__%s__' % i
                        })

    assert 5 == Submission.query.count()

    # delete a submission in form
    first_submission = Submission.query.first()
    r = client.delete(
        "/api-int/forms/" + form_endpoint + "/submissions/" +
        str(first_submission.id),
        headers={"Referer": settings.SERVICE_URL},
    )
    assert 200 == r.status_code
    assert 4 == Submission.query.count()
    assert DB.session.query(Submission.id).filter_by(id='0').scalar() is None
    # make sure you've deleted the submission

    # logout user
    client.get('/logout')

    # attempt to delete form you don't have access to (while logged out)
    r = client.delete("/api-int/forms/" + form_endpoint,
                      headers={"Referer": settings.SERVICE_URL})
    assert 401 == r.status_code
    assert 1 == Form.query.count()

    # create different user
    r = client.post('/register',
                    data={
                        'email': '*****@*****.**',
                        'password': '******'
                    })

    # attempt to delete form we don't have access to
    r = client.delete("/api-int/forms/" + form_endpoint,
                      headers={"Referer": settings.SERVICE_URL})
    assert 401 == r.status_code
    assert 1 == Form.query.count()

    client.get('/logout')

    #log back in to original account
    r = client.post('/login',
                    data={
                        'email': '*****@*****.**',
                        'password': '******'
                    })

    # delete the form created
    r = client.delete("/api-int/forms/" + form_endpoint,
                      headers={"Referer": settings.SERVICE_URL})
    assert 200 == r.status_code
    assert 0 == Form.query.count()

    # reset submission limit
    settings.ARCHIVED_SUBMISSIONS_LIMIT = old_submission_limit
Esempio n. 4
0
def test_form_toggle(client, msend):
    # create and login a user
    r = client.post('/register',
                    data={
                        'email': '*****@*****.**',
                        'password': '******'
                    })
    assert r.status_code == 302
    assert 1 == User.query.count()

    # upgrade user
    user = User.query.filter_by(email='*****@*****.**').first()
    user.upgraded = True
    DB.session.add(user)
    DB.session.commit()

    # successfully create form
    r = client.post(
        "/api-int/forms",
        headers={
            "Referer": settings.SERVICE_URL,
            "Content-type": "application/json"
        },
        data=json.dumps({"email": "*****@*****.**"}),
    )
    resp = json.loads(r.data.decode('utf-8'))
    assert r.status_code == 200
    assert 'submission_url' in resp
    assert 'hashid' in resp
    form_endpoint = resp['hashid']
    assert resp['hashid'] in resp['submission_url']
    assert 1 == Form.query.count()
    assert Form.query.first().id == Form.get_with_hashid(resp['hashid']).id

    # post to form
    r = client.post('/' + form_endpoint,
                    headers={'Referer': 'formspree.io'},
                    data={'name': 'bruce'})

    # confirm form
    form = Form.query.first()
    client.get('/confirm/%s:%s' %
               (HASH(form.email, str(form.id)), form.hashid))
    assert Form.query.first().confirmed
    assert 0 == Submission.query.count()

    # disable the form
    r = client.patch(
        "/api-int/forms/" + form_endpoint,
        headers={
            "Referer": settings.SERVICE_URL,
            "Content-Type": "application/json"
        },
        data=json.dumps({"disabled": True}),
    )
    assert 200 == r.status_code
    assert r.json["ok"]
    assert Form.query.first().disabled
    assert 0 == Form.query.first().counter

    # logout and attempt to enable the form
    client.get("/logout")
    r = client.patch(
        "/api-int/forms/" + form_endpoint,
        headers={
            "Content-Type": "application/json",
            "Referer": settings.SERVICE_URL
        },
        data=json.dumps({"disabled": True}),
    )
    assert 401 == r.status_code
    assert "error" in json.loads(r.data.decode("utf-8"))
    assert Form.query.first().disabled

    # fail when attempting to post to form
    r = client.post('/' + form_endpoint,
                    headers={'Referer': 'formspree.io'},
                    data={'name': 'bruce'})
    assert 403 == r.status_code
    assert 0 == Form.query.first().counter

    # log back in and re-enable form
    r = client.post("/login",
                    data={
                        "email": "*****@*****.**",
                        "password": "******"
                    })
    r = client.patch(
        "/api-int/forms/" + form_endpoint,
        headers={
            "Referer": settings.SERVICE_URL,
            "Content-Type": "application/json"
        },
        data=json.dumps({"disabled": False}),
    )
    assert 200 == r.status_code
    assert not Form.query.first().disabled

    # successfully post to form
    r = client.post('/' + form_endpoint,
                    headers={'Referer': 'formspree.io'},
                    data={'name': 'bruce'})
    assert 1 == Form.query.first().counter
Esempio n. 5
0
def test_form_creation(client, msend):
    # register user
    r = client.post('/register',
                    data={
                        'email': '*****@*****.**',
                        'password': '******'
                    })
    assert r.status_code == 302
    assert 1 == User.query.count()

    # fail to create form
    r = client.post(
        "/api-int/forms",
        headers={
            "Content-type": "application/json",
            "Referer": settings.SERVICE_URL
        },
        data={"email": "*****@*****.**"},
    )
    assert r.status_code == 402
    assert 'error' in json.loads(r.data.decode('utf-8'))
    assert 0 == Form.query.count()

    # upgrade user manually
    user = User.query.filter_by(email='*****@*****.**').first()
    user.upgraded = True
    DB.session.add(user)
    DB.session.commit()

    # successfully create form
    r = client.post(
        "/api-int/forms",
        headers={
            "Content-type": "application/json",
            "Referer": settings.SERVICE_URL
        },
        data=json.dumps({"email": "*****@*****.**"}),
    )
    resp = json.loads(r.data.decode('utf-8'))
    assert r.status_code == 200
    assert 'submission_url' in resp
    assert 'hashid' in resp
    form_endpoint = resp['hashid']
    assert resp['hashid'] in resp['submission_url']
    assert 1 == Form.query.count()
    assert Form.query.first().id == Form.get_with_hashid(resp['hashid']).id

    # post to form
    r = client.post('/' + form_endpoint,
                    headers={'Referer': 'formspree.io'},
                    data={'name': 'bruce'})
    assert "We've sent a link to your email" in r.data.decode('utf-8')
    assert 'confirm your email' in msend.call_args[1]['text']
    assert 1 == Form.query.count()

    # confirm form
    form = Form.query.first()
    client.get('/confirm/%s:%s' %
               (HASH(form.email, str(form.id)), form.hashid))
    assert Form.query.first().confirmed

    # send 5 forms (monthly limits should not apply to the upgraded user)
    assert settings.MONTHLY_SUBMISSIONS_LIMIT == 2
    for i in range(5):
        r = client.post('/' + form_endpoint,
                        headers={'Referer': 'formspree.io'},
                        data={
                            'name': 'ana',
                            'submission': '__%s__' % i
                        })
    form = Form.query.first()
    assert form.counter == 5
    assert form.get_monthly_counter() == 5
    assert 'ana' in msend.call_args[1]['text']
    assert '__4__' in msend.call_args[1]['text']
    assert 'past the limit' not in msend.call_args[1]['text']

    # try (and fail) to submit from a different host
    r = client.post('/' + form_endpoint,
                    headers={'Referer': 'bad.com'},
                    data={'name': 'usurper'})
    assert r.status_code == 403
    # no more data is sent to sendgrid
    assert 'ana' in msend.call_args[1]['text']
    assert '__4__' in msend.call_args[1]['text']
Esempio n. 6
0
    def test_form_creation(self):
        httpretty.register_uri(httpretty.POST, 'https://api.sendgrid.com/api/mail.send.json')

        # register user
        r = self.client.post('/register',
            data={'email': '*****@*****.**',
                  'password': '******'}
        )
        self.assertEqual(r.status_code, 302)
        self.assertEqual(1, User.query.count())

        # fail to create form
        r = self.client.post('/forms',
            headers={'Content-type': 'application/json'},
            data={'email': '*****@*****.**'}
        )
        self.assertEqual(r.status_code, 402)
        self.assertIn('error', json.loads(r.data))
        self.assertEqual(0, Form.query.count())

        # upgrade user manually
        user = User.query.filter_by(email='*****@*****.**').first()
        user.upgraded = True
        DB.session.add(user)
        DB.session.commit()

        # successfully create form
        r = self.client.post('/forms',
            headers={'Accept': 'application/json', 'Content-type': 'application/json'},
            data=json.dumps({'email': '*****@*****.**'})
        )
        resp = json.loads(r.data)
        self.assertEqual(r.status_code, 200)
        self.assertIn('submission_url', resp)
        self.assertIn('hashid', resp)
        form_endpoint = resp['hashid']
        self.assertIn(resp['hashid'], resp['submission_url'])
        self.assertEqual(1, Form.query.count())
        self.assertEqual(Form.query.first().id, Form.get_with_hashid(resp['hashid']).id)

        # post to form
        r = self.client.post('/' + form_endpoint,
            headers={'Referer': 'http://formspree.io'},
            data={'name': 'bruce'}
        )
        self.assertIn("sent an email confirmation", r.data)
        self.assertIn('confirm+your+email', httpretty.last_request().body)
        self.assertEqual(1, Form.query.count())

        # confirm form
        form = Form.query.first()
        self.client.get('/confirm/%s:%s' % (HASH(form.email, str(form.id)), form.hashid))
        self.assertTrue(Form.query.first().confirmed)

        # Make sure that it marks the first form as AJAX
        self.assertTrue(Form.query.first().uses_ajax)

        # check captcha disabling
        self.assertFalse(Form.query.first().captcha_disabled)
        r = self.client.get('/forms/' + form_endpoint + '/toggle-recaptcha',
            headers={'Referer': settings.SERVICE_URL})
        self.assertTrue(Form.query.first().captcha_disabled)
        r = self.client.get('/forms/' + form_endpoint + '/toggle-recaptcha',
            headers={'Referer': settings.SERVICE_URL})
        self.assertFalse(Form.query.first().captcha_disabled)


        # send 5 forms (monthly limits should not apply to the upgraded user)
        self.assertEqual(settings.MONTHLY_SUBMISSIONS_LIMIT, 2)
        for i in range(5):
            r = self.client.post('/' + form_endpoint,
                headers={'Referer': 'formspree.io'},
                data={'name': 'ana',
                      'submission': '__%s__' % i}
            )
        form = Form.query.first()
        self.assertEqual(form.counter, 5)
        self.assertEqual(form.get_monthly_counter(), 5)
        self.assertIn('ana', httpretty.last_request().body)
        self.assertIn('__4__', httpretty.last_request().body)
        self.assertNotIn('You+are+past+our+limit', httpretty.last_request().body)

        # try (and fail) to submit from a different host
        r = self.client.post('/' + form_endpoint,
            headers={'Referer': 'bad.com'},
            data={'name': 'usurper'}
        )
        self.assertEqual(r.status_code, 403)
        self.assertIn('ana', httpretty.last_request().body) # no more data is sent to sendgrid
        self.assertIn('__4__', httpretty.last_request().body)
Esempio n. 7
0
def test_form_toggle(client, msend):
    # create and login a user
    r = client.post('/register',
                    data={
                        'email': '*****@*****.**',
                        'password': '******'
                    })
    assert r.status_code == 302
    assert 1 == User.query.count()

    # upgrade user
    user = User.query.filter_by(email='*****@*****.**').first()
    user.upgraded = True
    DB.session.add(user)
    DB.session.commit()

    # successfully create form
    r = client.post('/forms',
                    headers={
                        'Accept': 'application/json',
                        'Content-type': 'application/json'
                    },
                    data=json.dumps({'email': '*****@*****.**'}))
    resp = json.loads(r.data.decode('utf-8'))
    assert r.status_code == 200
    assert 'submission_url' in resp
    assert 'hashid' in resp
    form_endpoint = resp['hashid']
    assert resp['hashid'] in resp['submission_url']
    assert 1 == Form.query.count()
    assert Form.query.first().id == Form.get_with_hashid(resp['hashid']).id

    # post to form
    r = client.post('/' + form_endpoint,
                    headers={'Referer': 'formspree.io'},
                    data={'name': 'bruce'})

    # confirm form
    form = Form.query.first()
    client.get('/confirm/%s:%s' %
               (HASH(form.email, str(form.id)), form.hashid))
    assert Form.query.first().confirmed
    assert 0 == Submission.query.count()

    # disable the form
    r = client.post('/forms/' + form_endpoint + '/toggle',
                    headers={'Referer': settings.SERVICE_URL})
    assert 302 == r.status_code
    assert r.location.endswith('/dashboard')
    assert Form.query.first().disabled
    assert 0 == Form.query.first().counter

    # logout and attempt to enable the form
    client.get('/logout')
    r = client.post('/forms/' + form_endpoint + '/toggle',
                    headers={'Referer': settings.SERVICE_URL},
                    follow_redirects=True)
    assert 200 == r.status_code
    assert Form.query.first().disabled

    # fail when attempting to post to form
    r = client.post('/' + form_endpoint,
                    headers={'Referer': 'formspree.io'},
                    data={'name': 'bruce'})
    assert 403 == r.status_code
    assert 0 == Form.query.first().counter

    # log back in and re-enable form
    r = client.post('/login',
                    data={
                        'email': '*****@*****.**',
                        'password': '******'
                    })
    r = client.post('/forms/' + form_endpoint + '/toggle',
                    headers={'Referer': settings.SERVICE_URL},
                    follow_redirects=True)
    assert 200 == r.status_code
    assert not Form.query.first().disabled

    # successfully post to form
    r = client.post('/' + form_endpoint,
                    headers={'Referer': 'formspree.io'},
                    data={'name': 'bruce'})
    assert 1 == Form.query.first().counter
Esempio n. 8
0
def resend_confirmation(email):
    g.log = g.log.bind(email=email, host=request.form.get('host'))
    g.log.info('Resending confirmation.')

    if verify_captcha(request.form, request):
        # check if this email is listed on SendGrid's bounces
        r = requests.get('https://api.sendgrid.com/api/bounces.get.json',
                         params={
                             'email': email,
                             'api_user': settings.SENDGRID_USERNAME,
                             'api_key': settings.SENDGRID_PASSWORD
                         })
        if r.ok and len(r.json()) and 'reason' in r.json()[0]:
            # tell the user to verify his mailbox
            reason = r.json()[0]['reason']
            g.log.info('Email is blocked on SendGrid. Telling the user.')
            if request_wants_json():
                resp = jsonify({
                    'error': "Verify your mailbox, we can't reach it.",
                    'reason': reason
                })
            else:
                resp = make_response(
                    render_template(
                        'info.html',
                        title='Verify the availability of your mailbox',
                        text=
                        "We encountered an error when trying to deliver the confirmation message to <b>"
                        + email +
                        "</b> at the first time we tried. For spam reasons, we will not try again until we are sure the problem is fixed. Here's the reason:</p><p><center><i>"
                        + reason +
                        "</i></center></p><p>Please make sure this problem is not happening still, then go to <a href='/unblock/"
                        + email +
                        "'>this page</a> to unblock your address.</p><p>After you have unblocked the address, please try to resend the confirmation again.</p>"
                    ))
            return resp
        # ~~~
        # if there's no bounce, we proceed to resend the confirmation.

        # BUG: What if this is an owned form with hashid??

        form = Form.query.filter_by(
            hash=HASH(email, request.form['host'])).first()
        if not form:
            if request_wants_json():
                return jsonerror(400, {'error': "This form does not exist."})
            else:
                return render_template('error.html',
                                       title='Check email address',
                                       text='This form does not exist.'), 400
        form.confirm_sent = False
        status = form.send_confirmation()
        if status['code'] == Form.STATUS_CONFIRMATION_SENT:
            if request_wants_json():
                return jsonify({'success': "confirmation email sent"})
            else:
                return render_template('forms/confirmation_sent.html',
                                       email=email,
                                       host=request.form['host'],
                                       resend=status['code'] ==
                                       Form.STATUS_CONFIRMATION_DUPLICATED)

    # fallback response -- should happen only when the recaptcha is failed.
    g.log.warning('Failed to resend confirmation.')
    return render_template(
        'error.html',
        title='Unable to send email',
        text=
        'Please make sure you pass the <i>reCaptcha</i> test before submitting.'
    ), 500
Esempio n. 9
0
    def test_form_and_submission_deletion(self):
        # create and login a user
        r = self.client.post('/register',
            data={'email': '*****@*****.**',
                  'password': '******'}
        )
        self.assertEqual(r.status_code, 302)
        self.assertEqual(1, User.query.count())

        # upgrade user
        user = User.query.filter_by(email='*****@*****.**').first()
        user.upgraded = True
        DB.session.add(user)
        DB.session.commit()

        # successfully create form
        r = self.client.post('/forms',
            headers={'Accept': 'application/json', 'Content-type': 'application/json'},
            data=json.dumps({'email': '*****@*****.**'})
        )
        resp = json.loads(r.data)
        self.assertEqual(r.status_code, 200)
        self.assertIn('submission_url', resp)
        self.assertIn('hashid', resp)
        form_endpoint = resp['hashid']
        self.assertIn(resp['hashid'], resp['submission_url'])
        self.assertEqual(1, Form.query.count())
        self.assertEqual(Form.query.first().id, Form.get_with_hashid(resp['hashid']).id)

        # post to form
        r = self.client.post('/' + form_endpoint,
            headers={'Referer': 'formspree.io'},
            data={'name': 'bruce'}
        )

        # confirm form
        form = Form.query.first()
        self.client.get('/confirm/%s:%s' % (HASH(form.email, str(form.id)), form.hashid))
        self.assertTrue(Form.query.first().confirmed)
        self.assertEqual(0, Submission.query.count())

        # increase the submission limit
        old_submission_limit = settings.ARCHIVED_SUBMISSIONS_LIMIT
        settings.ARCHIVED_SUBMISSIONS_LIMIT = 10
        # make 5 submissions
        for i in range(5):
            r = self.client.post('/' + form_endpoint,
                headers={'Referer': 'formspree.io'},
                data={'name': 'ana',
                      'submission': '__%s__' % i}
            )

        self.assertEqual(5, Submission.query.count())

        # delete a submission in form
        first_submission = Submission.query.first()
        r = self.client.post('/forms/' + form_endpoint + '/delete/' + unicode(first_submission.id),
            headers={'Referer': settings.SERVICE_URL},
            follow_redirects=True)
        self.assertEqual(200, r.status_code)
        self.assertEqual(4, Submission.query.count())
        self.assertTrue(DB.session.query(Submission.id).filter_by(id='0').scalar() is None) #make sure you deleted the submission

        # logout user
        self.client.get('/logout')

        # attempt to delete form you don't have access to (while logged out)
        r = self.client.post('/forms/' + form_endpoint + '/delete',
            headers={'Referer': settings.SERVICE_URL})
        self.assertEqual(302, r.status_code)
        self.assertEqual(1, Form.query.count())

        # create different user
        r = self.client.post('/register',
            data={'email': '*****@*****.**',
                  'password': '******'}
        )

        # attempt to delete form we don't have access to
        r = self.client.post('/forms/' + form_endpoint + '/delete',
            headers={'Referer': settings.SERVICE_URL})
        self.assertEqual(400, r.status_code)
        self.assertEqual(1, Form.query.count())

        self.client.get('/logout')

        #log back in to original account
        r = self.client.post('/login',
            data={'email': '*****@*****.**',
                  'password': '******'}
        )

        # delete the form created
        r = self.client.post('/forms/' + form_endpoint + '/delete',
            headers={'Referer': settings.SERVICE_URL},
            follow_redirects=True)
        self.assertEqual(200, r.status_code)
        self.assertEqual(0, Form.query.count())

        # reset submission limit
        settings.ARCHIVED_SUBMISSIONS_LIMIT = old_submission_limit
Esempio n. 10
0
    def test_form_toggle(self):
                # create and login a user
        r = self.client.post('/register',
            data={'email': '*****@*****.**',
                  'password': '******'}
        )
        self.assertEqual(r.status_code, 302)
        self.assertEqual(1, User.query.count())

        # upgrade user
        user = User.query.filter_by(email='*****@*****.**').first()
        user.upgraded = True
        DB.session.add(user)
        DB.session.commit()

        # successfully create form
        r = self.client.post('/forms',
            headers={'Accept': 'application/json', 'Content-type': 'application/json'},
            data=json.dumps({'email': '*****@*****.**'})
        )
        resp = json.loads(r.data)
        self.assertEqual(r.status_code, 200)
        self.assertIn('submission_url', resp)
        self.assertIn('hashid', resp)
        form_endpoint = resp['hashid']
        self.assertIn(resp['hashid'], resp['submission_url'])
        self.assertEqual(1, Form.query.count())
        self.assertEqual(Form.query.first().id, Form.get_with_hashid(resp['hashid']).id)

        # post to form
        r = self.client.post('/' + form_endpoint,
            headers={'Referer': 'formspree.io'},
            data={'name': 'bruce'}
        )

        # confirm form
        form = Form.query.first()
        self.client.get('/confirm/%s:%s' % (HASH(form.email, str(form.id)), form.hashid))
        self.assertTrue(Form.query.first().confirmed)
        self.assertEqual(0, Submission.query.count())

        # disable the form
        r = self.client.post('/forms/' + form_endpoint + '/toggle',
            headers={'Referer': settings.SERVICE_URL})
        self.assertEqual(302, r.status_code)
        self.assertTrue(r.location.endswith('/dashboard'))
        self.assertTrue(Form.query.first().disabled)
        self.assertEqual(0, Form.query.first().counter)

        # logout and attempt to enable the form
        self.client.get('/logout')
        r = self.client.post('/forms/' + form_endpoint + '/toggle',
            headers={'Referer': settings.SERVICE_URL},
            follow_redirects=True)
        self.assertEqual(200, r.status_code)
        self.assertTrue(Form.query.first().disabled)

        # fail when attempting to post to form
        r = self.client.post('/' + form_endpoint,
            headers={'Referer': 'formspree.io'},
            data={'name': 'bruce'}
        )
        self.assertEqual(403, r.status_code)
        self.assertEqual(0, Form.query.first().counter)

        # log back in and re-enable form
        r = self.client.post('/login',
            data={'email': '*****@*****.**',
                  'password': '******'}
        )
        r = self.client.post('/forms/' + form_endpoint + '/toggle',
            headers={'Referer': settings.SERVICE_URL},
            follow_redirects=True)
        self.assertEqual(200, r.status_code)
        self.assertFalse(Form.query.first().disabled)

        # successfully post to form
        r = self.client.post('/' + form_endpoint,
            headers={'Referer': 'formspree.io'},
            data={'name': 'bruce'}
        )
        self.assertEqual(1, Form.query.first().counter)
Esempio n. 11
0
def test_form_creation(client, msend):
    # register user
    r = client.post('/register',
        data={'email': '*****@*****.**',
              'password': '******'}
    )
    assert r.status_code == 302
    assert 1 == User.query.count()

    # fail to create form
    r = client.post('/forms',
        headers={'Content-type': 'application/json'},
        data={'email': '*****@*****.**'}
    )
    assert r.status_code == 402
    assert 'error' in json.loads(r.data.decode('utf-8'))
    assert 0 == Form.query.count()

    # upgrade user manually
    user = User.query.filter_by(email='*****@*****.**').first()
    user.upgraded = True
    DB.session.add(user)
    DB.session.commit()

    # successfully create form
    r = client.post('/forms',
        headers={'Accept': 'application/json', 'Content-type': 'application/json'},
        data=json.dumps({'email': '*****@*****.**'})
    )
    resp = json.loads(r.data.decode('utf-8'))
    assert r.status_code == 200
    assert 'submission_url' in resp
    assert 'hashid' in resp
    form_endpoint = resp['hashid']
    assert resp['hashid'] in resp['submission_url']
    assert 1 == Form.query.count()
    assert Form.query.first().id == Form.get_with_hashid(resp['hashid']).id

    # post to form
    r = client.post('/' + form_endpoint,
        headers={'Referer': 'http://testsite.com'},
        data={'name': 'bruce'}
    )
    assert 'sent an email confirmation' in r.data.decode('utf-8')
    assert 'confirm your email' in msend.call_args[1]['text']
    assert 1 == Form.query.count()

    # confirm form
    form = Form.query.first()
    client.get('/confirm/%s:%s' % (HASH(form.email, str(form.id)), form.hashid))
    assert Form.query.first().confirmed

    # Make sure that it marks the first form as AJAX
    assert Form.query.first().uses_ajax

    # send 5 forms (monthly limits should not apply to the upgraded user)
    assert settings.MONTHLY_SUBMISSIONS_LIMIT == 2
    for i in range(5):
        r = client.post('/' + form_endpoint,
            headers={'Referer': 'testsite.com'},
            data={'name': 'ana',
                  'submission': '__%s__' % i}
        )
    form = Form.query.first()
    assert form.counter == 5
    assert form.get_monthly_counter() == 5
    assert 'ana' in msend.call_args[1]['text']
    assert '__4__' in msend.call_args[1]['text']
    assert 'You are past our limit' not in msend.call_args[1]['text']

    # try (and fail) to submit from a different host
    r = client.post('/' + form_endpoint,
        headers={'Referer': 'bad.com'},
        data={'name': 'usurper'}
    )
    assert r.status_code == 403
    assert 'ana' in msend.call_args[1]['text'] # no more data is sent to sendgrid
    assert '__4__' in msend.call_args[1]['text']