def error_nonce(request, message=''): expected_now = util.create_nonce(None, message) expected_older = util.create_nonce(None, message, offset=-1) given = request.REQUEST.get('_error') if given not in (expected_now, expected_older): raise exception.ValidationError('Could not validate nonce')
def test_bad_nonces(self): fake_user = "******" action = "some_action" future_nonce = util.create_nonce(fake_user, action, offset=10) def _future_nonce(): validate.nonce(test_util.FakeRequest(user=fake_user, post={"_nonce": future_nonce}), action) self.assertRaises(exception.ValidationError, _future_nonce) def _madeup_nonce(): validate.nonce(test_util.FakeRequest(user=fake_user, post={"_nonce": "TEST"}), action) self.assertRaises(exception.ValidationError, _madeup_nonce) notme_nonce = util.create_nonce(fake_user, action, offset=10) def _notme_nonce(): validate.nonce(test_util.FakeRequest(user="******", post={"_nonce": notme_nonce}), action) self.assertRaises(exception.ValidationError, _notme_nonce) notany_nonce = util.create_nonce(fake_user, action, offset=10) def _notany_nonce(): validate.nonce(test_util.FakeRequest(user=None, post={"_nonce": notany_nonce}), action) self.assertRaises(exception.ValidationError, _notany_nonce)
def nonce(request, action=''): user = request.user expected_now = util.create_nonce(user, action) expected_older = util.create_nonce(user, action, offset=-1) # TODO(termie): we should probably only accept these in POST in the future given = request.REQUEST.get('_nonce') if given not in (expected_now, expected_older): raise exception.ValidationError('Could not validate nonce')
def test_slightly_old_nonces(self): fake_user = "******" action = "some_action" nonce = util.create_nonce(fake_user, action, offset=-1) validate.nonce(test_util.FakeRequest(user=fake_user, post={"_nonce": nonce}), action) old_nonce = util.create_nonce(fake_user, action, offset=-2) def _old_nonce(): validate.nonce(test_util.FakeRequest(user=fake_user, post={"_nonce": old_nonce}), action) self.assertRaises(exception.ValidationError, _old_nonce)
def test_settings_change_avatar(self): nick = 'obligated' self.login(nick) nick = clean.nick(nick) old_avatar = api.actor_get(api.ROOT, nick).extra.get('icon', 'avatar_default') # TODO(teemu): add more tests for different file types (gif and jpg). # Alternatively, test those against api.avatar_upload. r = self.client.post('/user/obligated/settings/photo', { 'avatar': 'default/animal_9', '_nonce' : util.create_nonce('obligated', 'change_photo'), }) r = self.assertRedirectsPrefix(r, '/user/obligated/settings/photo') new_avatar = api.actor_get(api.ROOT, nick).extra.get('icon', 'avatar_default') self.assertNotEquals(old_avatar, new_avatar) self.assertContains(r, 'Avatar changed') self.assertTemplateUsed(r, 'settings_photo.html') self.assertTemplateUsed(r, 'flash.html')
def test_post_and_delete_comment_logged_in(self): self.login('popular') # Is there a better way to get the correct url? comment = 'This is the comment' r = self.client.post('/channel/popular/presence/13345', {'stream': 'stream/#[email protected]/presence', 'entry': 'stream/#[email protected]/presence/13345', 'nick': '*****@*****.**', 'entry_add_comment' : '', 'content' : comment, '_nonce' : util.create_nonce('popular', 'entry_add_comment'), } ) self.exhaust_queue_any() r = self.assertRedirectsPrefix(r, '/channel/popular/presence/13345?flash') self.assertContains(r, comment) self.assertContains(r, 'Comment added') # Now delete what we just added r = self.assertGetLink(r, 'confirm-delete', link_no=1, of_count=2) r = self.assertRedirectsPrefix(r, '/channel/popular/presence/13345?flash') self.assertContains(r, 'Comment deleted')
def flash(request): if 'flash' not in request.REQUEST: return {} flash = request.REQUEST['flash'] nonce = util.create_nonce(None, flash) if nonce != request.REQUEST.get('_flash', ''): return {} return {'flash': flash}
def set_presence(self, user, location): params = { 'nick': '*****@*****.**' % user, 'presence_set': '', 'location' : location, '_nonce': util.create_nonce('*****@*****.**' % user, 'presence_set') } return self.client.post('/user/popular', params)
def build_url(self, request): # TODO(termie) rearrange these in the future to prevent circular imports from jaikucommon import util redirect_url = self.build_redirect(request) nonce = util.create_nonce(request.user, self.message + redirect_url) return util.qsa(self.base_url, {'message': self.message, '_nonce': nonce, 'redirect_to': redirect_url})
def test_good_nonces(self): fake_user = "******" action = "some_action" nonce = util.create_nonce(fake_user, action) params = {"_nonce": nonce} validate.nonce(test_util.FakeRequest(user=fake_user, post=params), action) validate.nonce(test_util.FakeRequest(user=fake_user, get=params), action)
def test_email_notfound(self): r = self.client.post('/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot' : '', 'nick_or_email' : '*****@*****.**', }) self.assertTemplateUsed(r, 'forgot.html') self.assertContains(r, 'does not match any accounts')
def test_nick_no_email(self): r = self.client.post('/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot' : '', 'nick_or_email' : 'annoying', }) self.assertTemplateUsed(r, 'forgot.html') self.assertContains(r, 'does not have an email')
def test_unknown_nick(self): r = self.client.post('/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot' : '', 'nick_or_email' : 'idontexist', }) self.assertTemplateUsed(r, 'forgot.html') self.assertContains(r, 'not found')
def test_confirm(self): nonce = util.create_nonce('popular', 'entry_remove') entry = 'stream/popular%40example.com/presence/12345' path = '/user/popular/overview' r = self.login_and_get('popular', path, {'entry_remove': entry, '_nonce': nonce}) r = self.assertRedirectsPrefix(r, '/confirm') self.assertContains(r, nonce) self.assertContains(r, entry) self.assertContains(r, path)
def test_settings_delete(self): r = self.login_and_get( 'popular', '/user/popular/settings/delete', { '_nonce' : util.create_nonce('popular', 'actor_remove'), 'actor_remove' : '', 'nick' : 'popular', }, ) r = self.assertRedirectsPrefix(r, '/logout')
def test_email_notification(self): # new follower r = self.login('hermit') params = {'actor_add_contact': '', 'owner': '*****@*****.**', 'target': '*****@*****.**', '_nonce': util.create_nonce('*****@*****.**', 'actor_add_contact') } r = self.client.post('/user/popular', params) self.assertEqual(len(mail.outbox), 1, 'new follower') email = mail.outbox[0] # test that the link is valid url = test_util.get_relative_url(email.body) r = self.client.get(url) self.assertTemplateUsed(r, 'history.html') mail.outbox = [] # new follower mutual r = self.login('popular') params = {'actor_add_contact': '', 'owner': '*****@*****.**', 'target': '*****@*****.**', '_nonce': util.create_nonce('*****@*****.**', 'actor_add_contact') } r = self.client.post('/user/unpopular', params) self.assertEqual(len(mail.outbox), 1, 'new follower mutual') email = mail.outbox[0] # test that the link is valid url = test_util.get_relative_url(email.body) r = self.client.get(url) self.assertTemplateUsed(r, 'history.html')
def test_settings_delete_channel(self): self.login('popular') r = self.client.post('/channel/popular/settings/delete', { 'actor_remove' : '', 'nick' : '#[email protected]', '_nonce' : util.create_nonce('popular', 'actor_remove'), }) r = self.assertRedirectsPrefix(r, '/channel') self.assertContains(r, 'Deleted') self.assertWellformed(r)
def test_leave_channel_not_member(self): self.login('annoying') r = self.client.post('/channel/popular', {'nick': '*****@*****.**', 'channel_part': '', 'channel' : '#[email protected]', '_nonce' : util.create_nonce('annoying', 'channel_part'), } ) self.assertContains(r, 'not a member') self.assertWellformed(r)
def test_delete_channel_as_member(self): self.login('unpopular') r = self.client.post('/channel/popular/settings/delete', {'nick': '#[email protected]', 'actor_remove': '', '_nonce' : util.create_nonce('unpopular', 'actor_remove'), } ) self.assertContains(r, 'not allowed') self.assertWellformed(r)
def test_join_channel_already_member(self): self.login('popular') # pick a user that is a member r = self.client.post('/channel/popular', {'nick': '*****@*****.**', 'channel_join': '', 'channel' : '#[email protected]', '_nonce' : util.create_nonce('popular', 'channel_join'), } ) self.assertContains(r, 'already a member') self.assertWellformed(r)
def test_create_new_channel_short(self): self.login('popular') r = self.client.post('/channel/create', {'nick': '*****@*****.**', 'channel': '2', 'channel_create': '', '_nonce' : util.create_nonce('popular', 'channel_create'), } ) self.assertContains(r, 'Invalid channel') self.assertWellformed(r)
def test_first_post_to_create_channel(self): self.login('popular') r = self.client.post('/channel/fastfingers', {'channel': '#[email protected]', 'message': 'First post!', '_nonce': util.create_nonce('popular', 'set_presence'), } ) r = self.assertRedirectsPrefix(r, '/channel/create') self.assertTemplateUsed(r, 'create.html') self.assertWellformed(r)
def test_email_unconfirmed(self): r = self.client.post('/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot' : '', 'nick_or_email' : '*****@*****.**', }) r = self.assertRedirectsPrefix(r, '/login/forgot') self.assertTemplateUsed(r, 'forgot.html') self.assertContains(r, 'New Password Emailed') self.assertTemplateUsed(r, 'flash.html')
def test_login_forgot_nick_popular(self): r = self.client.post('/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot' : '', 'nick_or_email' : 'popular', }) r = self.assertRedirectsPrefix(r, '/login/forgot') self.assertTemplateUsed(r, 'forgot.html') self.assertContains(r, 'New Password Emailed') self.assertTemplateUsed(r, 'flash.html')
def test_join_channel(self): self.login('annoying') # pick a user that is NOT a member r = self.client.post('/channel/popular', {'nick': '*****@*****.**', 'channel_join': '', 'channel' : '#[email protected]', '_nonce' : util.create_nonce('annoying', 'channel_join'), } ) r = self.assertRedirectsPrefix(r, '/channel/popular') self.assertContains(r, 'You have joined') self.assertWellformed(r)
def noncached_avatar(value, args): parts = args.split(",") size = parts[0] dimensions = api.AVATAR_IMAGE_SIZES[size] tag_id = "" if len(parts) > 1: tag_id = 'id="%s"' % (parts[1]) path = avatar_url(value, size) nonce = create_nonce(value, "avatar_preview") nick = value.display_nick() return '<img src="%s?%s" class="photo" alt="%s" width="%s" height="%s" %s/>' % ( path, nonce, nick, dimensions[0], dimensions[1], tag_id)
def test_post_message_in_personal_history(self): self.login('popular') msg = 'a post from unit test' r = self.client.post('/user/popular', {'message': msg, '_nonce': util.create_nonce('popular', 'post'), 'nick': '*****@*****.**', 'post': '', }) r = self.assertRedirectsPrefix(r, '/user/popular') self.assertContains(r, msg) self.assertContains(r, 'a moment ago') self.assertTemplateUsed(r, 'history.html')
def test_create_new_channel_with_trailing_whitespace(self): self.login('popular') r = self.client.post('/channel/create', {'nick': '*****@*****.**', 'channel': 'whitespace ', 'channel_create': '', '_nonce' : util.create_nonce('popular', 'channel_create'), } ) r = self.assertRedirectsPrefix(r, '/channel/whitespace') self.assertContains(r, 'Channel created') self.assertWellformed(r)
def test_revoke_access_token(self): r = self.login('popular') r = self.client.get('/api/tokens', { '_nonce': util.create_nonce('popular', 'oauth_revoke_access_token'), 'oauth_revoke_access_token': '', 'key': 'POPULARDESKTOPACCESSTOKEN', 'confirm' : 1, }) r = self.assertRedirectsPrefix(r, '/api/tokens') self.assertTemplateUsed(r, 'tokens.html') self.assertContains(r, 'token revoked') self.assertNotContains(r, 'POPULARDESKTOPACCESSTOKEN') self.assertWellformed(r)
def render(self, context): user = self.var_user.resolve(context) view = self.var_view.resolve(context) actor = self.var_actor.resolve(context) if self.pred(user, view, actor): content = escape(self.content % actor.display_nick()) return (('<a href="?%s=&target=%s&_nonce=%s' + '&owner=%s" class="%s">%s</a>') % ( self.api_call, urllib.quote(actor.nick), create_nonce(user, self.api_call), escape(view.nick), self.link_class, content)) else: return ''