def test_OAuth_signed_requests(self):
# Requests that are OAuth signed are allowed.
request = LaunchpadTestRequest(method='POST',
environ=dict(PATH_INFO='/'))
directlyProvides(request, IOAuthSignedRequest)
# this call shouldn't raise an exception
maybe_block_offsite_form_post(request)
def test_nonbrowser_requests(self):
# Requests that are from non-browsers are allowed.
class FakeNonBrowserRequest:
method = 'SOMETHING'
# this call shouldn't raise an exception
maybe_block_offsite_form_post(FakeNonBrowserRequest)
def test_nonbrowser_requests(self):
# Requests that are from non-browsers are allowed.
class FakeNonBrowserRequest:
method = 'SOMETHING'
# this call shouldn't raise an exception
maybe_block_offsite_form_post(FakeNonBrowserRequest)
def test_OAuth_signed_requests(self):
# Requests that are OAuth signed are allowed.
request = LaunchpadTestRequest(
method='POST', environ=dict(PATH_INFO='/'))
directlyProvides(request, IOAuthSignedRequest)
# this call shouldn't raise an exception
maybe_block_offsite_form_post(request)
def test_localhost_is_ok(self):
# we accept "localhost" and "localhost:9000" as valid referrers. See
# comments in the code as to why and for a related bug report.
request = LaunchpadTestRequest(
method='POST', environ=dict(PATH_INFO='/', REFERER='localhost'))
# this doesn't raise an exception
maybe_block_offsite_form_post(request)
def test_openid_callback_with_query_string(self):
# An OpenId provider (OP) may post to the +openid-callback URL with a
# query string and without a referer. These posts need to be allowed.
path_info = u'/+openid-callback?starting_url=...'
request = LaunchpadTestRequest(method='POST',
environ=dict(PATH_INFO=path_info))
# this call shouldn't raise an exception
maybe_block_offsite_form_post(request)
def test_openid_callback_with_query_string(self):
# An OpenId provider (OP) may post to the +openid-callback URL with a
# query string and without a referer. These posts need to be allowed.
path_info = u'/+openid-callback?starting_url=...'
request = LaunchpadTestRequest(
method='POST', environ=dict(PATH_INFO=path_info))
# this call shouldn't raise an exception
maybe_block_offsite_form_post(request)
def test_whitelisted_paths(self):
# There are a few whitelisted POST targets that don't require the
# referrer be LP. See comments in the code as to why and for related
# bug reports.
for path in OFFSITE_POST_WHITELIST:
request = LaunchpadTestRequest(method='POST',
environ=dict(PATH_INFO=path))
# this call shouldn't raise an exception
maybe_block_offsite_form_post(request)
def test_onsite_posts(self):
# Other than the explicit exceptions, all POSTs have to come from a
# known LP virtual host.
for hostname in allvhosts.hostnames:
referer = 'http://' + hostname + '/foo'
request = LaunchpadTestRequest(
method='POST', environ=dict(PATH_INFO='/', REFERER=referer))
# this call shouldn't raise an exception
maybe_block_offsite_form_post(request)
def test_whitelisted_paths(self):
# There are a few whitelisted POST targets that don't require the
# referrer be LP. See comments in the code as to why and for related
# bug reports.
for path in OFFSITE_POST_WHITELIST:
request = LaunchpadTestRequest(
method='POST', environ=dict(PATH_INFO=path))
# this call shouldn't raise an exception
maybe_block_offsite_form_post(request)
def test_nonPOST_requests(self):
# If the request isn't a POST it is always allowed.
request = LaunchpadTestRequest(method='SOMETHING')
maybe_block_offsite_form_post(request)
def test_nonPOST_requests(self):
# If the request isn't a POST it is always allowed.
request = LaunchpadTestRequest(method='SOMETHING')
maybe_block_offsite_form_post(request)
