def error_nonce(request, message=''): expected_now = util.create_nonce(None, message) expected_older = util.create_nonce(None, message, offset= -1) given = request.REQUEST.get('_error') if given not in (expected_now, expected_older): raise exception.ValidationError('Could not validate nonce')
def error_nonce(request, message=''): expected_now = util.create_nonce(None, message) expected_older = util.create_nonce(None, message, offset=-1) given = request.REQUEST.get('_error') if given not in (expected_now, expected_older): raise exception.ValidationError('Could not validate nonce')
def nonce(request, action=''): user = request.user expected_now = util.create_nonce(user, action) expected_older = util.create_nonce(user, action, offset= -1) # TODO(termie): we should probably only accept these in POST in the future given = request.REQUEST.get('_nonce') if given not in (expected_now, expected_older): raise exception.ValidationError('Could not validate nonce')
def nonce(request, action=''): user = request.user expected_now = util.create_nonce(user, action) expected_older = util.create_nonce(user, action, offset=-1) # TODO(termie): we should probably only accept these in POST in the future given = request.REQUEST.get('_nonce') if given not in (expected_now, expected_older): raise exception.ValidationError('Could not validate nonce')
def test_post_and_delete_comment_logged_in(self): self.login('popular') # Is there a better way to get the correct url? comment = 'This is the comment' r = self.client.post('/channel/popular/presence/13345', {'stream': 'stream/#[email protected]/presence', 'entry': 'stream/#[email protected]/presence/13345', 'nick': '*****@*****.**', 'entry_add_comment' : '', 'content' : comment, '_nonce' : util.create_nonce('popular', 'entry_add_comment'), } ) self.exhaust_queue_any() r = self.assertRedirectsPrefix(r, '/channel/popular/presence/13345?flash') self.assertContains(r, comment) self.assertContains(r, 'Comment added') # Now delete what we just added r = self.assertGetLink(r, 'confirm-delete', link_no=1, of_count=2) r = self.assertRedirectsPrefix(r, '/channel/popular/presence/13345?flash') self.assertContains(r, 'Comment deleted')
def test_settings_change_avatar(self): nick = 'obligated' self.login(nick) nick = clean.nick(nick) old_avatar = api.actor_get(api.ROOT, nick).extra.get('icon', 'avatar_default') # TODO(teemu): add more tests for different file types (gif and jpg). # Alternatively, test those against api.avatar_upload. r = self.client.post('/user/obligated/settings/photo', { 'avatar': 'default/animal_9', '_nonce' : util.create_nonce('obligated', 'change_photo'), }) r = self.assertRedirectsPrefix(r, '/user/obligated/settings/photo') new_avatar = api.actor_get(api.ROOT, nick).extra.get('icon', 'avatar_default') self.assertNotEquals(old_avatar, new_avatar) self.assertContains(r, 'Avatar changed') self.assertTemplateUsed(r, 'actor/templates/settings_photo.html') self.assertTemplateUsed(r, 'common/templates/flash.html')
def test_post_and_delete_comment_logged_in(self): self.login('popular') # Is there a better way to get the correct url? comment = 'This is the comment' r = self.client.post( '/channel/popular/presence/13345', { 'stream': 'stream/#[email protected]/presence', 'entry': 'stream/#[email protected]/presence/13345', 'nick': '*****@*****.**', 'entry_add_comment': '', 'content': comment, '_nonce': util.create_nonce('popular', 'entry_add_comment'), }) self.exhaust_queue_any() r = self.assertRedirectsPrefix( r, '/channel/popular/presence/13345?flash') self.assertContains(r, comment) self.assertContains(r, 'Comment added') # Now delete what we just added r = self.assertGetLink(r, 'confirm-delete', link_no=1, of_count=2) r = self.assertRedirectsPrefix( r, '/channel/popular/presence/13345?flash') self.assertContains(r, 'Comment deleted')
def test_nick_no_email(self): r = self.client.post( "/login/forgot", {"_nonce": util.create_nonce(None, "login_forgot"), "login_forgot": "", "nick_or_email": "annoying"}, ) self.assertTemplateUsed(r, "login/templates/forgot.html") self.assertContains(r, "does not have an email")
def test_unknown_nick(self): r = self.client.post( "/login/forgot", {"_nonce": util.create_nonce(None, "login_forgot"), "login_forgot": "", "nick_or_email": "idontexist"}, ) self.assertTemplateUsed(r, "login/templates/forgot.html") self.assertContains(r, "not found")
def test_email_notfound(self): r = self.client.post( "/login/forgot", {"_nonce": util.create_nonce(None, "login_forgot"), "login_forgot": "", "nick_or_email": "*****@*****.**"}, ) self.assertTemplateUsed(r, "login/templates/forgot.html") self.assertContains(r, "does not match any accounts")
def set_presence(self, user, location): params = { 'nick': '*****@*****.**' % user, 'presence_set': '', 'location': location, '_nonce': util.create_nonce('*****@*****.**' % user, 'presence_set') } return self.client.post('/user/popular', params)
def build_url(self, request): # TODO(termie) rearrange these in the future to prevent circular imports from common import util redirect_url = self.build_redirect(request) nonce = util.create_nonce(request.user, self.message + redirect_url) return util.qsa(self.base_url, {"message": self.message, "_nonce": nonce, "redirect_to": redirect_url})
def flash(request): if "flash" not in request.REQUEST: return {} flash = request.REQUEST["flash"] nonce = util.create_nonce(None, flash) if nonce != request.REQUEST.get("_flash", ""): return {} return {"flash": flash}
def flash(request): if 'flash' not in request.REQUEST: return {} flash = request.REQUEST['flash'] nonce = util.create_nonce(None, flash) if nonce != request.REQUEST.get('_flash', ''): return {} return {'flash': flash}
def test_slightly_old_nonces(self): fake_user = '******' action = 'some_action' nonce = util.create_nonce(fake_user, action, offset= -1) validate.nonce(test_util.FakeRequest( user=fake_user, post={'_nonce': nonce}), action) old_nonce = util.create_nonce(fake_user, action, offset= -2) def _old_nonce(): validate.nonce(test_util.FakeRequest( user=fake_user, post={'_nonce': old_nonce}), action) self.assertRaises(exception.ValidationError, _old_nonce)
def set_presence(self, user, location): params = { 'nick': '*****@*****.**' % user, 'presence_set': '', 'location' : location, '_nonce': util.create_nonce('*****@*****.**' % user, 'presence_set') } return self.client.post('/user/popular', params)
def test_slightly_old_nonces(self): fake_user = '******' action = 'some_action' nonce = util.create_nonce(fake_user, action, offset=-1) validate.nonce( test_util.FakeRequest(user=fake_user, post={'_nonce': nonce}), action) old_nonce = util.create_nonce(fake_user, action, offset=-2) def _old_nonce(): validate.nonce( test_util.FakeRequest(user=fake_user, post={'_nonce': old_nonce}), action) self.assertRaises(exception.ValidationError, _old_nonce)
def test_nick_unconfirmed(self): r = self.client.post( "/login/forgot", {"_nonce": util.create_nonce(None, "login_forgot"), "login_forgot": "", "nick_or_email": "hermit"}, ) r = self.assertRedirectsPrefix(r, "/login/forgot") self.assertTemplateUsed(r, "login/templates/forgot.html") self.assertContains(r, "New Password Emailed") self.assertTemplateUsed(r, "common/templates/flash.html")
def test_email_notfound(self): r = self.client.post( '/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot': '', 'nick_or_email': '*****@*****.**', }) self.assertTemplateUsed(r, 'login/templates/forgot.html') self.assertContains(r, 'does not match any accounts')
def test_email_notification(self): # new follower r = self.login('hermit') params = { 'actor_add_contact': '', 'owner': '*****@*****.**', 'target': '*****@*****.**', '_nonce': util.create_nonce('*****@*****.**', 'actor_add_contact') } r = self.client.post('/user/popular', params) self.assertEqual(len(mail.outbox), 1, 'new follower') email = mail.outbox[0] # test that the link is valid url = test_util.get_relative_url(email.body) r = self.client.get(url) self.assertTemplateUsed(r, 'actor/templates/history.html') mail.outbox = [] # new follower mutual r = self.login('popular') params = { 'actor_add_contact': '', 'owner': '*****@*****.**', 'target': '*****@*****.**', '_nonce': util.create_nonce('*****@*****.**', 'actor_add_contact') } r = self.client.post('/user/unpopular', params) self.assertEqual(len(mail.outbox), 1, 'new follower mutual') email = mail.outbox[0] # test that the link is valid url = test_util.get_relative_url(email.body) r = self.client.get(url) self.assertTemplateUsed(r, 'actor/templates/history.html')
def test_email_notfound(self): r = self.client.post('/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot' : '', 'nick_or_email' : '*****@*****.**', }) self.assertTemplateUsed(r, 'login/templates/forgot.html') self.assertContains(r, 'does not match any accounts')
def test_unknown_nick(self): r = self.client.post('/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot' : '', 'nick_or_email' : 'idontexist', }) self.assertTemplateUsed(r, 'login/templates/forgot.html') self.assertContains(r, 'not found')
def test_nick_no_email(self): r = self.client.post( '/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot': '', 'nick_or_email': 'annoying', }) self.assertTemplateUsed(r, 'login/templates/forgot.html') self.assertContains(r, 'does not have an email')
def test_nick_no_email(self): r = self.client.post('/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot' : '', 'nick_or_email' : 'annoying', }) self.assertTemplateUsed(r, 'login/templates/forgot.html') self.assertContains(r, 'does not have an email')
def test_unknown_nick(self): r = self.client.post( '/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot': '', 'nick_or_email': 'idontexist', }) self.assertTemplateUsed(r, 'login/templates/forgot.html') self.assertContains(r, 'not found')
def test_first_post_to_create_channel(self): self.login('popular') r = self.client.post( '/channel/fastfingers', { 'channel': '#[email protected]', 'message': 'First post!', '_nonce': util.create_nonce('popular', 'set_presence'), }) r = self.assertRedirectsPrefix(r, '/channel/create') self.assertTemplateUsed(r, 'channel/templates/create.html') self.assertWellformed(r)
def test_confirm(self): nonce = util.create_nonce('popular', 'entry_remove') entry = 'stream/popular%40example.com/presence/12345' path = '/user/popular/overview' r = self.login_and_get('popular', path, {'entry_remove': entry, '_nonce': nonce}) r = self.assertRedirectsPrefix(r, '/confirm') self.assertContains(r, nonce) self.assertContains(r, entry) self.assertContains(r, path)
def test_delete_channel_as_member(self): self.login('unpopular') r = self.client.post( '/channel/popular/settings/delete', { 'nick': '#[email protected]', 'actor_remove': '', '_nonce': util.create_nonce('unpopular', 'actor_remove'), }) self.assertContains(r, 'not allowed') self.assertWellformed(r)
def test_leave_channel_not_member(self): self.login('annoying') r = self.client.post( '/channel/popular', { 'nick': '*****@*****.**', 'channel_part': '', 'channel': '#[email protected]', '_nonce': util.create_nonce('annoying', 'channel_part'), }) self.assertContains(r, 'not a member') self.assertWellformed(r)
def test_settings_delete_channel(self): self.login('popular') r = self.client.post( '/channel/popular/settings/delete', { 'actor_remove': '', 'nick': '#[email protected]', '_nonce': util.create_nonce('popular', 'actor_remove'), }) r = self.assertRedirectsPrefix(r, '/channel') self.assertContains(r, 'Deleted') self.assertWellformed(r)
def test_create_new_channel_short(self): self.login('popular') r = self.client.post( '/channel/create', { 'nick': '*****@*****.**', 'channel': '2', 'channel_create': '', '_nonce': util.create_nonce('popular', 'channel_create'), }) self.assertContains(r, 'Invalid channel') self.assertWellformed(r)
def test_settings_delete(self): r = self.login_and_get( 'popular', '/user/popular/settings/delete', { '_nonce': util.create_nonce('popular', 'actor_remove'), 'actor_remove': '', 'nick': 'popular', }, ) r = self.assertRedirectsPrefix(r, '/logout')
def test_settings_delete(self): r = self.login_and_get( 'popular', '/user/popular/settings/delete', { '_nonce' : util.create_nonce('popular', 'actor_remove'), 'actor_remove' : '', 'nick' : 'popular', }, ) r = self.assertRedirectsPrefix(r, '/logout')
def test_join_channel_already_member(self): self.login('popular') # pick a user that is a member r = self.client.post( '/channel/popular', { 'nick': '*****@*****.**', 'channel_join': '', 'channel': '#[email protected]', '_nonce': util.create_nonce('popular', 'channel_join'), }) self.assertContains(r, 'already a member') self.assertWellformed(r)
def test_email_notification(self): # new follower self.login('hermit') params = {'actor_add_contact': '', 'owner': '*****@*****.**', 'target': '*****@*****.**', '_nonce': util.create_nonce('*****@*****.**', 'actor_add_contact') } self.client.post('/user/popular', params) self.assertEqual(len(mail.outbox), 1, 'new follower') email = mail.outbox[0] # test that the link is valid url = test_util.get_relative_url(email.body) r = self.client.get(url) self.assertTemplateUsed(r, 'actor/templates/history.html') mail.outbox = [] # new follower mutual r = self.login('popular') params = {'actor_add_contact': '', 'owner': '*****@*****.**', 'target': '*****@*****.**', '_nonce': util.create_nonce('*****@*****.**', 'actor_add_contact') } r = self.client.post('/user/unpopular', params) self.assertEqual(len(mail.outbox), 1, 'new follower mutual') email = mail.outbox[0] # test that the link is valid url = test_util.get_relative_url(email.body) r = self.client.get(url) self.assertTemplateUsed(r, 'actor/templates/history.html')
def test_create_new_channel_short(self): self.login('popular') r = self.client.post('/channel/create', {'nick': '*****@*****.**', 'channel': '2', 'channel_create': '', '_nonce' : util.create_nonce('popular', 'channel_create'), } ) self.assertContains(r, 'Invalid channel') self.assertWellformed(r)
def test_nick_confirmed(self): r = self.client.post('/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot' : '', 'nick_or_email' : 'popular', }) r = self.assertRedirectsPrefix(r, '/login/forgot') self.assertTemplateUsed(r, 'forgot.html') self.assertContains(r, 'New Password Emailed') self.assertTemplateUsed(r, 'flash.html')
def build_url(self, request): # TODO(termie) rearrange these in the future to prevent circular imports from common import util redirect_url = self.build_redirect(request) nonce = util.create_nonce(request.user, self.message + redirect_url) return util.qsa(self.base_url, { 'message': self.message, '_nonce': nonce, 'redirect_to': redirect_url })
def test_create_new_channel_with_trailing_whitespace(self): self.login('popular') r = self.client.post( '/channel/create', { 'nick': '*****@*****.**', 'channel': 'whitespace ', 'channel_create': '', '_nonce': util.create_nonce('popular', 'channel_create'), }) r = self.assertRedirectsPrefix(r, '/channel/whitespace') self.assertContains(r, 'Channel created') self.assertWellformed(r)
def test_settings_delete_channel(self): self.login('popular') r = self.client.post('/channel/popular/settings/delete', { 'actor_remove' : '', 'nick' : '#[email protected]', '_nonce' : util.create_nonce('popular', 'actor_remove'), }) r = self.assertRedirectsPrefix(r, '/channel') self.assertContains(r, 'Deleted') self.assertWellformed(r)
def test_leave_channel_not_member(self): self.login('annoying') r = self.client.post('/channel/popular', {'nick': '*****@*****.**', 'channel_part': '', 'channel' : '#[email protected]', '_nonce' : util.create_nonce('annoying', 'channel_part'), } ) self.assertContains(r, 'not a member') self.assertWellformed(r)
def test_delete_channel_as_member(self): self.login('unpopular') r = self.client.post('/channel/popular/settings/delete', {'nick': '#[email protected]', 'actor_remove': '', '_nonce' : util.create_nonce('unpopular', 'actor_remove'), } ) self.assertContains(r, 'not allowed') self.assertWellformed(r)
def test_join_channel_already_member(self): self.login('popular') # pick a user that is a member r = self.client.post('/channel/popular', {'nick': '*****@*****.**', 'channel_join': '', 'channel' : '#[email protected]', '_nonce' : util.create_nonce('popular', 'channel_join'), } ) self.assertContains(r, 'already a member') self.assertWellformed(r)
def test_first_post_to_create_channel(self): self.login('popular') r = self.client.post('/channel/fastfingers', {'channel': '#[email protected]', 'message': 'First post!', '_nonce': util.create_nonce('popular', 'set_presence'), } ) r = self.assertRedirectsPrefix(r, '/channel/create') self.assertTemplateUsed(r, 'channel/templates/create.html') self.assertWellformed(r)
def test_good_nonces(self): fake_user = '******' action = 'some_action' nonce = util.create_nonce(fake_user, action) params = {'_nonce': nonce} validate.nonce(test_util.FakeRequest(user=fake_user, post=params), action) validate.nonce(test_util.FakeRequest(user=fake_user, get=params), action)
def test_login_forgot_nick_mixed_case(self): r = self.client.post('/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot' : '', 'nick_or_email' : 'CapitalPunishment', }) r = self.assertRedirectsPrefix(r, '/login/forgot') self.assertTemplateUsed(r, 'login/templates/forgot.html') self.assertContains(r, 'New Password Emailed') self.assertTemplateUsed(r, 'common/templates/flash.html')
def test_email_unconfirmed(self): r = self.client.post('/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot' : '', 'nick_or_email' : '*****@*****.**', }) r = self.assertRedirectsPrefix(r, '/login/forgot') self.assertTemplateUsed(r, 'login/templates/forgot.html') self.assertContains(r, 'New Password Emailed') self.assertTemplateUsed(r, 'common/templates/flash.html')
def test_join_channel(self): self.login('annoying') # pick a user that is NOT a member r = self.client.post( '/channel/popular', { 'nick': '*****@*****.**', 'channel_join': '', 'channel': '#[email protected]', '_nonce': util.create_nonce('annoying', 'channel_join'), }) r = self.assertRedirectsPrefix(r, '/channel/popular') self.assertContains(r, 'You have joined') self.assertWellformed(r)
def test_email_unconfirmed(self): r = self.client.post( '/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot': '', 'nick_or_email': '*****@*****.**', }) r = self.assertRedirectsPrefix(r, '/login/forgot') self.assertTemplateUsed(r, 'login/templates/forgot.html') self.assertContains(r, 'New Password Emailed') self.assertTemplateUsed(r, 'common/templates/flash.html')
def test_login_forgot_nick_mixed_case(self): r = self.client.post( '/login/forgot', { '_nonce': util.create_nonce(None, 'login_forgot'), 'login_forgot': '', 'nick_or_email': 'CapitalPunishment', }) r = self.assertRedirectsPrefix(r, '/login/forgot') self.assertTemplateUsed(r, 'login/templates/forgot.html') self.assertContains(r, 'New Password Emailed') self.assertTemplateUsed(r, 'common/templates/flash.html')
def test_recreate_deleted_channel(self): self.login('popular') # First, delete a channel. r = self.client.post( '/channel/popular/settings/delete', { 'actor_remove': '', 'nick': '#[email protected]', '_nonce': util.create_nonce('popular', 'actor_remove'), }) r = self.assertRedirectsPrefix(r, '/channel') self.assertContains(r, 'Deleted') # Pre-condition r = self.client.post( '/channel/create', { 'nick': '*****@*****.**', 'channel': 'popular', 'channel_create': '', '_nonce': util.create_nonce('popular', 'channel_create'), }) self.assertContains(r, 'Name of the channel is already in use') self.assertWellformed(r)
def noncached_avatar(value, args): parts = args.split(",") size = parts[0] dimensions = api.AVATAR_IMAGE_SIZES[size] tag_id = "" if len(parts) > 1: tag_id = 'id="%s"' % (parts[1]) path = avatar_url(value, size) nonce = create_nonce(value, "avatar_preview") nick = value.display_nick() return '<img src="%s?%s" class="photo" alt="%s" width="%s" height="%s" %s/>' % ( path, nonce, nick, dimensions[0], dimensions[1], tag_id)
def test_confirm(self): nonce = util.create_nonce('popular', 'entry_remove') entry = 'stream/popular%40example.com/presence/12345' path = '/user/popular/overview' r = self.login_and_get('popular', path, { 'entry_remove': entry, '_nonce': nonce }) r = self.assertRedirectsPrefix(r, '/confirm') self.assertContains(r, nonce) self.assertContains(r, entry) self.assertContains(r, path)
def test_post_message_in_personal_history(self): self.login('popular') msg = 'a post from unit test' r = self.client.post('/user/popular', {'message': msg, '_nonce': util.create_nonce('popular', 'post'), 'nick': '*****@*****.**', 'post': '', }) r = self.assertRedirectsPrefix(r, '/user/popular') self.assertContains(r, msg) self.assertContains(r, 'a moment ago') self.assertTemplateUsed(r, 'actor/templates/history.html')
def test_bad_nonces(self): fake_user = '******' action = "some_action" future_nonce = util.create_nonce(fake_user, action, offset=10) def _future_nonce(): validate.nonce( test_util.FakeRequest(user=fake_user, post={'_nonce': future_nonce}), action) self.assertRaises(exception.ValidationError, _future_nonce) def _madeup_nonce(): validate.nonce( test_util.FakeRequest(user=fake_user, post={'_nonce': 'TEST'}), action) self.assertRaises(exception.ValidationError, _madeup_nonce) notme_nonce = util.create_nonce(fake_user, action, offset=10) def _notme_nonce(): validate.nonce( test_util.FakeRequest(user='******', post={'_nonce': notme_nonce}), action) self.assertRaises(exception.ValidationError, _notme_nonce) notany_nonce = util.create_nonce(fake_user, action, offset=10) def _notany_nonce(): validate.nonce( test_util.FakeRequest( user=None, post={'_nonce': notany_nonce}, ), action) self.assertRaises(exception.ValidationError, _notany_nonce)
def render(self, context): user = self.var_user.resolve(context) view = self.var_view.resolve(context) actor = self.var_actor.resolve(context) if self.pred(user, view, actor): content = escape(self.content % actor.display_nick()) return (('<a href="?%s=&target=%s&_nonce=%s' + '&owner=%s" class="%s">%s</a>') % (self.api_call, urllib.quote(actor.nick), create_nonce(user, self.api_call), escape( view.nick), self.link_class, content)) else: return ''
def test_settings_details_bad_url(self): self.login('popular') external_url = 'javascript:alert(1);' description = 'test desc' r = self.client.post( '/channel/popular/settings/details', { 'channel_update': '', 'channel': '#[email protected]', 'description': description, 'external_url': external_url, '_nonce': util.create_nonce('popular', 'channel_update'), }) self.assertContains(r, 'Invalid url') self.assertWellformed(r)
def test_create_channel_already_exists(self): # 'Create a new channel' post doesn't really create a channel, but # shows a page that allows you to create a channel by posting a first message # to it. self.login('popular') r = self.client.post( '/channel/create', { 'nick': '*****@*****.**', 'channel': 'popular', 'channel_create': '', '_nonce': util.create_nonce('popular', 'channel_create'), }) self.assertContains(r, 'Name of the channel is already in use') self.assertWellformed(r)