def test_csrf_allows_safe(self, method): def fn(self, view, app, request, *args, **kwargs): return view(app, request, *args, **kwargs) view = lambda app, request: Response() app = pretend.stub() request = pretend.stub(_session={}, method=method) handle_csrf(fn)(pretend.stub(), view, app, request)
def test_csrf_already_ensured(self): def fn(self, view, app, request, *args, **kwargs): return view(app, request, *args, **kwargs) view = lambda app, request: Response() view._csrf = True app = pretend.stub() request = pretend.stub(_session={"user.csrf": "1234"}, method="GET") handle_csrf(fn)(pretend.stub(), view, app, request) assert request._session == {"user.csrf": "1234"}
def test_csrf_disallows_unsafe(self, method): def fn(self, view, app, request, *args, **kwargs): return view(app, request, *args, **kwargs) view = lambda app, request: Response() app = pretend.stub() request = pretend.stub(_session={}, method=method) with pytest.raises(SecurityError) as excinfo: handle_csrf(fn)(pretend.stub(), view, app, request) assert ( excinfo.value.description == "No CSRF protection applied to view")
def test_csrf_disallows_unsafe(self, method): def fn(self, view, app, request, *args, **kwargs): return view(app, request, *args, **kwargs) view = lambda app, request: Response() app = pretend.stub() request = pretend.stub(_session={}, method=method) with pytest.raises(SecurityError) as excinfo: handle_csrf(fn)(pretend.stub(), view, app, request) assert (excinfo.value.description == "No CSRF protection applied to view")
def test_csrf_checks_csrf_unsafe(self, method): def fn(self, view, app, request, *args, **kwargs): return view(app, request, *args, **kwargs) view = lambda app, request: Response() view._csrf = True app = pretend.stub() request = pretend.stub(_session={}, method=method) _verify_origin = pretend.call_recorder(lambda request: None) _verify_token = pretend.call_recorder(lambda request: None) handle_csrf( fn, _verify_origin=_verify_origin, _verify_token=_verify_token, )(pretend.stub(), view, app, request) assert _verify_token.calls == [pretend.call(request)] assert _verify_token.calls == [pretend.call(request)]