Mercurial > kallithea
changeset 4993:0efca3ad8467
tests: provide _authentication_token when POSTing
So far not used, just preparing for the the time when the actual checking is
introduced ...
This change is very verbose. self.app.post should perhaps just at this value
automagically ...
author | Mads Kiilerich <madski@unity3d.com> |
---|---|
date | Tue, 07 Apr 2015 03:30:05 +0200 |
parents | 569199be3475 |
children | ae947de541d5 |
files | kallithea/config/routing.py kallithea/controllers/login.py kallithea/tests/__init__.py kallithea/tests/functional/test_admin_auth_settings.py kallithea/tests/functional/test_admin_defaults.py kallithea/tests/functional/test_admin_gists.py kallithea/tests/functional/test_admin_permissions.py kallithea/tests/functional/test_admin_repos.py kallithea/tests/functional/test_admin_settings.py kallithea/tests/functional/test_admin_user_groups.py kallithea/tests/functional/test_admin_users.py kallithea/tests/functional/test_changeset_comments.py kallithea/tests/functional/test_files.py kallithea/tests/functional/test_forks.py kallithea/tests/functional/test_my_account.py |
diffstat | 15 files changed, 170 insertions(+), 86 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/config/routing.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/config/routing.py Tue Apr 07 03:30:05 2015 +0200 @@ -499,6 +499,7 @@ ) #LOGIN/LOGOUT/REGISTER/SIGN IN + rmap.connect('authentication_token', '%s/authentication_token' % ADMIN_PREFIX, controller='login', action='authentication_token') rmap.connect('login_home', '%s/login' % ADMIN_PREFIX, controller='login') rmap.connect('logout_home', '%s/logout' % ADMIN_PREFIX, controller='login', action='logout')
--- a/kallithea/controllers/login.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/controllers/login.py Tue Apr 07 03:30:05 2015 +0200 @@ -270,3 +270,11 @@ session.delete() log.info('Logging out and deleting session for user') redirect(url('home')) + + def authentication_token(self): + """Return the CSRF protection token for the session - just like it + could have been screen scrabed from a page with a form. + Only intended for testing but might also be useful for other kinds + of automation. + """ + return h.authentication_token()
--- a/kallithea/tests/__init__.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/__init__.py Tue Apr 07 03:30:05 2015 +0200 @@ -213,6 +213,9 @@ def _get_logged_user(self): return User.get_by_username(self._logged_username) + def authentication_token(self): + return self.app.get(url('authentication_token')).body + def checkSessionFlash(self, response, msg, skip=0): if 'flash' not in response.session: self.fail(safe_str(u'msg `%s` not found - session has no flash ' % msg))
--- a/kallithea/tests/functional/test_admin_auth_settings.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/functional/test_admin_auth_settings.py Tue Apr 07 03:30:05 2015 +0200 @@ -6,7 +6,7 @@ def _enable_plugins(self, plugins_list): test_url = url(controller='admin/auth_settings', action='auth_settings') - params={'auth_plugins': plugins_list,} + params={'auth_plugins': plugins_list, '_authentication_token': self.authentication_token()} for plugin in plugins_list.split(','): enable = plugin.partition('kallithea.lib.auth_modules.')[-1]
--- a/kallithea/tests/functional/test_admin_defaults.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/functional/test_admin_defaults.py Tue Apr 07 03:30:05 2015 +0200 @@ -32,10 +32,12 @@ 'default_repo_enable_statistics': True, 'default_repo_private': True, 'default_repo_type': 'hg', + '_authentication_token': self.authentication_token(), } response = self.app.put(url('default', id='default'), params=params) self.checkSessionFlash(response, 'Default settings updated successfully') + params.pop('_authentication_token') defs = Setting.get_default_repo_settings() self.assertEqual(params, defs) @@ -47,20 +49,23 @@ 'default_repo_enable_statistics': False, 'default_repo_private': False, 'default_repo_type': 'git', + '_authentication_token': self.authentication_token(), } response = self.app.put(url('default', id='default'), params=params) self.checkSessionFlash(response, 'Default settings updated successfully') + + params.pop('_authentication_token') defs = Setting.get_default_repo_settings() self.assertEqual(params, defs) def test_update_browser_fakeout(self): - response = self.app.post(url('default', id=1), params=dict(_method='put')) + response = self.app.post(url('default', id=1), params=dict(_method='put', _authentication_token=self.authentication_token())) def test_delete(self): response = self.app.delete(url('default', id=1)) def test_delete_browser_fakeout(self): - response = self.app.post(url('default', id=1), params=dict(_method='delete')) + response = self.app.post(url('default', id=1), params=dict(_method='delete', _authentication_token=self.authentication_token())) def test_show(self): response = self.app.get(url('default', id=1))
--- a/kallithea/tests/functional/test_admin_gists.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/functional/test_admin_gists.py Tue Apr 07 03:30:05 2015 +0200 @@ -56,7 +56,8 @@ def test_create_missing_description(self): self.log_user() response = self.app.post(url('gists'), - params={'lifetime': -1}, status=200) + params={'lifetime': -1, '_authentication_token': self.authentication_token()}, + status=200) response.mustcontain('Missing value') @@ -66,7 +67,8 @@ params={'lifetime': -1, 'content': 'gist test', 'filename': 'foo', - 'public': 'public'}, + 'public': 'public', + '_authentication_token': self.authentication_token()}, status=302) response = response.follow() response.mustcontain('added file: foo') @@ -79,7 +81,8 @@ params={'lifetime': -1, 'content': 'gist test', 'filename': '/home/foo', - 'public': 'public'}, + 'public': 'public', + '_authentication_token': self.authentication_token()}, status=200) response.mustcontain('Filename cannot be inside a directory') @@ -98,7 +101,8 @@ params={'lifetime': -1, 'content': 'private gist test', 'filename': 'private-foo', - 'private': 'private'}, + 'private': 'private', + '_authentication_token': self.authentication_token()}, status=302) response = response.follow() response.mustcontain('added file: private-foo<') @@ -112,7 +116,8 @@ 'content': 'gist test', 'filename': 'foo-desc', 'description': 'gist-desc', - 'public': 'public'}, + 'public': 'public', + '_authentication_token': self.authentication_token()}, status=302) response = response.follow() response.mustcontain('added file: foo-desc')
--- a/kallithea/tests/functional/test_admin_permissions.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/functional/test_admin_permissions.py Tue Apr 07 03:30:05 2015 +0200 @@ -18,7 +18,8 @@ self.log_user() default_user_id = User.get_default_user().user_id response = self.app.put(url('edit_user_ips', id=default_user_id), - params=dict(new_ip='127.0.0.0/24')) + params=dict(new_ip='127.0.0.0/24', + _authentication_token=self.authentication_token())) response = self.app.get(url('admin_permissions_ips')) response.mustcontain('127.0.0.0/24') @@ -31,7 +32,8 @@ response = self.app.post(url('edit_user_ips', id=default_user_id), params=dict(_method='delete', - del_ip_id=del_ip_id)) + del_ip_id=del_ip_id, + _authentication_token=self.authentication_token())) response = self.app.get(url('admin_permissions_ips')) response.mustcontain('All IP addresses are allowed')
--- a/kallithea/tests/functional/test_admin_repos.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/functional/test_admin_repos.py Tue Apr 07 03:30:05 2015 +0200 @@ -56,7 +56,8 @@ fixture._get_repo_create_params(repo_private=False, repo_name=repo_name, repo_type=self.REPO_TYPE, - repo_description=description)) + repo_description=description, + _authentication_token=self.authentication_token())) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name)) self.assertEqual(response.json, {u'result': True}) @@ -96,7 +97,8 @@ fixture._get_repo_create_params(repo_private=False, repo_name=repo_name, repo_type=self.REPO_TYPE, - repo_description=description)) + repo_description=description, + _authentication_token=self.authentication_token())) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name)) self.assertEqual(response.json, {u'result': True}) @@ -139,7 +141,8 @@ repo_name=repo_name, repo_type=self.REPO_TYPE, repo_description=description, - repo_group=gr.group_id,)) + repo_group=gr.group_id, + _authentication_token=self.authentication_token())) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name_full)) self.assertEqual(response.json, {u'result': True}) @@ -177,6 +180,8 @@ def test_create_in_group_without_needed_permissions(self): usr = self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) + # avoid spurious RepoGroup DetachedInstanceError ... + authentication_token = self.authentication_token() # revoke user_model = UserModel() # disable fork and create on default user @@ -213,7 +218,8 @@ repo_name=repo_name, repo_type=self.REPO_TYPE, repo_description=description, - repo_group=gr.group_id,)) + repo_group=gr.group_id, + _authentication_token=authentication_token)) response.mustcontain('Invalid value') @@ -226,7 +232,8 @@ repo_name=repo_name, repo_type=self.REPO_TYPE, repo_description=description, - repo_group=gr_allowed.group_id,)) + repo_group=gr_allowed.group_id, + _authentication_token=authentication_token)) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name_full)) @@ -287,7 +294,8 @@ repo_type=self.REPO_TYPE, repo_description=description, repo_group=gr.group_id, - repo_copy_permissions=True)) + repo_copy_permissions=True, + _authentication_token=self.authentication_token())) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name_full)) @@ -338,7 +346,8 @@ repo_name=repo_name, repo_type=self.REPO_TYPE, repo_description=description, - clone_uri='http://127.0.0.1/repo')) + clone_uri='http://127.0.0.1/repo', + _authentication_token=self.authentication_token())) response.mustcontain('invalid clone URL') @@ -351,7 +360,8 @@ repo_name=repo_name, repo_type=self.REPO_TYPE, repo_description=description, - clone_uri='svn+http://127.0.0.1/repo')) + clone_uri='svn+http://127.0.0.1/repo', + _authentication_token=self.authentication_token())) response.mustcontain('invalid clone URL') @@ -363,7 +373,8 @@ fixture._get_repo_create_params(repo_private=False, repo_type=self.REPO_TYPE, repo_name=repo_name, - repo_description=description)) + repo_description=description, + _authentication_token=self.authentication_token())) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name)) self.checkSessionFlash(response, @@ -413,7 +424,8 @@ fixture._get_repo_create_params(repo_private=False, repo_name=repo_name, repo_type=self.REPO_TYPE, - repo_description=description)) + repo_description=description, + _authentication_token=self.authentication_token())) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name)) self.assertEqual(response.json, {u'result': True}) @@ -457,7 +469,7 @@ def test_delete_browser_fakeout(self): response = self.app.post(url('repo', repo_name=self.REPO), - params=dict(_method='delete')) + params=dict(_method='delete', _authentication_token=self.authentication_token())) def test_show(self): self.log_user() @@ -478,7 +490,8 @@ fixture._get_repo_create_params(repo_private=1, repo_name=self.REPO, repo_type=self.REPO_TYPE, - user=TEST_USER_ADMIN_LOGIN)) + user=TEST_USER_ADMIN_LOGIN, + _authentication_token=self.authentication_token())) self.checkSessionFlash(response, msg='Repository %s updated successfully' % (self.REPO)) self.assertEqual(Repository.get_by_repo_name(self.REPO).private, True) @@ -492,7 +505,8 @@ fixture._get_repo_create_params(repo_private=False, repo_name=self.REPO, repo_type=self.REPO_TYPE, - user=TEST_USER_ADMIN_LOGIN)) + user=TEST_USER_ADMIN_LOGIN, + _authentication_token=self.authentication_token())) self.checkSessionFlash(response, msg='Repository %s updated successfully' % (self.REPO)) self.assertEqual(Repository.get_by_repo_name(self.REPO).private, False) @@ -521,7 +535,7 @@ repo = Repository.get_by_repo_name(self.REPO) repo2 = Repository.get_by_repo_name(other_repo) response = self.app.put(url('edit_repo_advanced_fork', repo_name=self.REPO), - params=dict(id_fork_of=repo2.repo_id)) + params=dict(id_fork_of=repo2.repo_id, _authentication_token=self.authentication_token())) repo = Repository.get_by_repo_name(self.REPO) repo2 = Repository.get_by_repo_name(other_repo) self.checkSessionFlash(response, @@ -542,7 +556,7 @@ repo = Repository.get_by_repo_name(self.REPO) repo2 = Repository.get_by_repo_name(self.OTHER_TYPE_REPO) response = self.app.put(url('edit_repo_advanced_fork', repo_name=self.REPO), - params=dict(id_fork_of=repo2.repo_id)) + params=dict(id_fork_of=repo2.repo_id, _authentication_token=self.authentication_token())) repo = Repository.get_by_repo_name(self.REPO) repo2 = Repository.get_by_repo_name(self.OTHER_TYPE_REPO) self.checkSessionFlash(response, @@ -552,7 +566,7 @@ self.log_user() ## mark it as None response = self.app.put(url('edit_repo_advanced_fork', repo_name=self.REPO), - params=dict(id_fork_of=None)) + params=dict(id_fork_of=None, _authentication_token=self.authentication_token())) repo = Repository.get_by_repo_name(self.REPO) repo2 = Repository.get_by_repo_name(self.OTHER_TYPE_REPO) self.checkSessionFlash(response, @@ -564,7 +578,7 @@ self.log_user() repo = Repository.get_by_repo_name(self.REPO) response = self.app.put(url('edit_repo_advanced_fork', repo_name=self.REPO), - params=dict(id_fork_of=repo.repo_id)) + params=dict(id_fork_of=repo.repo_id, _authentication_token=self.authentication_token())) self.checkSessionFlash(response, 'An error occurred during this operation') @@ -594,7 +608,8 @@ fixture._get_repo_create_params(repo_private=False, repo_name=repo_name, repo_type=self.REPO_TYPE, - repo_description=description)) + repo_description=description, + _authentication_token=self.authentication_token())) response.mustcontain('no permission to create repository in root location') @@ -611,7 +626,8 @@ fixture._get_repo_create_params(repo_private=False, repo_name=repo_name, repo_type=self.REPO_TYPE, - repo_description=description)) + repo_description=description, + _authentication_token=self.authentication_token())) self.checkSessionFlash(response, 'Error creating repository %s' % repo_name)
--- a/kallithea/tests/functional/test_admin_settings.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/functional/test_admin_settings.py Tue Apr 07 03:30:05 2015 +0200 @@ -37,7 +37,8 @@ self.log_user() response = self.app.post(url('admin_settings_hooks'), params=dict(new_hook_ui_key='test_hooks_1', - new_hook_ui_value='cd /tmp')) + new_hook_ui_value='cd /tmp', + _authentication_token=self.authentication_token())) response = response.follow() response.mustcontain('test_hooks_1') @@ -47,7 +48,8 @@ self.log_user() response = self.app.post(url('admin_settings_hooks'), params=dict(new_hook_ui_key='test_hooks_2', - new_hook_ui_value='cd /tmp2')) + new_hook_ui_value='cd /tmp2', + _authentication_token=self.authentication_token())) response = response.follow() response.mustcontain('test_hooks_2') @@ -56,7 +58,7 @@ hook_id = Ui.get_by_key('test_hooks_2').ui_id ## delete self.app.post(url('admin_settings_hooks'), - params=dict(hook_id=hook_id)) + params=dict(hook_id=hook_id, _authentication_token=self.authentication_token())) response = self.app.get(url('admin_settings_hooks')) response.mustcontain(no=['test_hooks_2']) response.mustcontain(no=['cd /tmp2']) @@ -80,6 +82,7 @@ ga_code=new_ga_code, captcha_private_key='', captcha_public_key='', + _authentication_token=self.authentication_token(), )) self.checkSessionFlash(response, 'Updated application settings') @@ -101,6 +104,7 @@ ga_code=new_ga_code, captcha_private_key='', captcha_public_key='', + _authentication_token=self.authentication_token(), )) self.checkSessionFlash(response, 'Updated application settings') @@ -121,6 +125,7 @@ ga_code=new_ga_code, captcha_private_key='1234567890', captcha_public_key='1234567890', + _authentication_token=self.authentication_token(), )) self.checkSessionFlash(response, 'Updated application settings') @@ -141,6 +146,7 @@ ga_code=new_ga_code, captcha_private_key='', captcha_public_key='1234567890', + _authentication_token=self.authentication_token(), )) self.checkSessionFlash(response, 'Updated application settings') @@ -163,6 +169,7 @@ ga_code='', captcha_private_key='', captcha_public_key='', + _authentication_token=self.authentication_token(), )) self.checkSessionFlash(response, 'Updated application settings')
--- a/kallithea/tests/functional/test_admin_user_groups.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/functional/test_admin_user_groups.py Tue Apr 07 03:30:05 2015 +0200 @@ -19,7 +19,8 @@ response = self.app.post(url('users_groups'), {'users_group_name': users_group_name, 'user_group_description': 'DESC', - 'active': True}) + 'active': True, + '_authentication_token': self.authentication_token()}) response.follow() self.checkSessionFlash(response, @@ -35,7 +36,7 @@ def test_update_browser_fakeout(self): response = self.app.post(url('users_group', id=1), - params=dict(_method='put')) + params=dict(_method='put', _authentication_token=self.authentication_token())) def test_delete(self): self.log_user() @@ -43,7 +44,8 @@ response = self.app.post(url('users_groups'), {'users_group_name':users_group_name, 'user_group_description': 'DESC', - 'active': True}) + 'active': True, + '_authentication_token': self.authentication_token()}) response.follow() self.checkSessionFlash(response, @@ -65,7 +67,8 @@ response = self.app.post(url('users_groups'), {'users_group_name': users_group_name, 'user_group_description': 'DESC', - 'active': True}) + 'active': True, + '_authentication_token': self.authentication_token()}) response.follow() ug = UserGroup.get_by_group_name(users_group_name) @@ -74,8 +77,8 @@ ## ENABLE REPO CREATE ON A GROUP response = self.app.put(url('edit_user_group_default_perms', id=ug.users_group_id), - {'create_repo_perm': True}) - + {'create_repo_perm': True, + '_authentication_token': self.authentication_token()}) response.follow() ug = UserGroup.get_by_group_name(users_group_name) p = Permission.get_by_key('hg.create.repository') @@ -135,7 +138,8 @@ response = self.app.post(url('users_groups'), {'users_group_name': users_group_name, 'user_group_description': 'DESC', - 'active': True}) + 'active': True, + '_authentication_token': self.authentication_token()}) response.follow() ug = UserGroup.get_by_group_name(users_group_name) @@ -144,7 +148,7 @@ ## ENABLE REPO CREATE ON A GROUP response = self.app.put(url('edit_user_group_default_perms', id=ug.users_group_id), - {'fork_repo_perm': True}) + {'fork_repo_perm': True, '_authentication_token': self.authentication_token()}) response.follow() ug = UserGroup.get_by_group_name(users_group_name) @@ -204,7 +208,7 @@ def test_delete_browser_fakeout(self): response = self.app.post(url('users_group', id=1), - params=dict(_method='delete')) + params=dict(_method='delete', _authentication_token=self.authentication_token())) def test_show(self): response = self.app.get(url('users_group', id=1))
--- a/kallithea/tests/functional/test_admin_users.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/functional/test_admin_users.py Tue Apr 07 03:30:05 2015 +0200 @@ -58,7 +58,8 @@ 'lastname': lastname, 'extern_name': 'internal', 'extern_type': 'internal', - 'email': email}) + 'email': email, + '_authentication_token': self.authentication_token()}) self.checkSessionFlash(response, '''Created user <a href="/_admin/users/''') self.checkSessionFlash(response, '''/edit">%s</a>''' % (username)) @@ -89,7 +90,8 @@ 'name': name, 'active': False, 'lastname': lastname, - 'email': email}) + 'email': email, + '_authentication_token': self.authentication_token()}) msg = validators.ValidUsername(False, {})._messages['system_invalid_username'] msg = h.html_escape(msg % {'username': 'new_user'}) @@ -145,8 +147,10 @@ # logged in yet his data is not filled # so we use creation data + params.update({'_authentication_token': self.authentication_token()}) response = self.app.put(url('user', id=usr.user_id), params) self.checkSessionFlash(response, 'User updated successfully') + params.pop('_authentication_token') updated_user = User.get_by_username(self.test_user_1) updated_params = updated_user.get_api_data(True) @@ -266,7 +270,8 @@ response = self.app.post(url('edit_user_perms', id=uid), params=dict(_method='put', - create_repo_perm=True)) + create_repo_perm=True, + _authentication_token=self.authentication_token())) perm_none = Permission.get_by_key('hg.create.none') perm_create = Permission.get_by_key('hg.create.repository') @@ -295,7 +300,7 @@ self.assertEqual(UserModel().has_perm(user, perm_create), False) response = self.app.post(url('edit_user_perms', id=uid), - params=dict(_method='put')) + params=dict(_method='put', _authentication_token=self.authentication_token())) perm_none = Permission.get_by_key('hg.create.none') perm_create = Permission.get_by_key('hg.create.repository') @@ -325,7 +330,8 @@ response = self.app.post(url('edit_user_perms', id=uid), params=dict(_method='put', - create_repo_perm=True)) + create_repo_perm=True, + _authentication_token=self.authentication_token())) perm_none = Permission.get_by_key('hg.create.none') perm_create = Permission.get_by_key('hg.create.repository') @@ -354,7 +360,7 @@ self.assertEqual(UserModel().has_perm(user, perm_fork), False) response = self.app.post(url('edit_user_perms', id=uid), - params=dict(_method='put')) + params=dict(_method='put', _authentication_token=self.authentication_token())) perm_none = Permission.get_by_key('hg.create.none') perm_create = Permission.get_by_key('hg.create.repository') @@ -386,7 +392,7 @@ user_id = user.user_id response = self.app.put(url('edit_user_ips', id=user_id), - params=dict(new_ip=ip)) + params=dict(new_ip=ip, _authentication_token=self.authentication_token())) if failure: self.checkSessionFlash(response, 'Please enter a valid IPv4 or IpV6 address') @@ -419,7 +425,7 @@ response.mustcontain(ip_range) self.app.post(url('edit_user_ips', id=user_id), - params=dict(_method='delete', del_ip_id=new_ip_id)) + params=dict(_method='delete', del_ip_id=new_ip_id, _authentication_token=self.authentication_token())) response = self.app.get(url('edit_user_ips', id=user_id)) response.mustcontain('All IP addresses are allowed') @@ -445,7 +451,7 @@ user_id = user.user_id response = self.app.post(url('edit_user_api_keys', id=user_id), - {'_method': 'put', 'description': desc, 'lifetime': lifetime}) + {'_method': 'put', 'description': desc, 'lifetime': lifetime, '_authentication_token': self.authentication_token()}) self.checkSessionFlash(response, 'Api key successfully created') try: response = response.follow() @@ -463,7 +469,7 @@ user_id = user.user_id response = self.app.post(url('edit_user_api_keys', id=user_id), - {'_method': 'put', 'description': 'desc', 'lifetime': -1}) + {'_method': 'put', 'description': 'desc', 'lifetime': -1, '_authentication_token': self.authentication_token()}) self.checkSessionFlash(response, 'Api key successfully created') response = response.follow() @@ -472,7 +478,7 @@ self.assertEqual(1, len(keys)) response = self.app.post(url('edit_user_api_keys', id=user_id), - {'_method': 'delete', 'del_api_key': keys[0].api_key}) + {'_method': 'delete', 'del_api_key': keys[0].api_key, '_authentication_token': self.authentication_token()}) self.checkSessionFlash(response, 'Api key successfully deleted') keys = UserApiKeys.query().filter(UserApiKeys.user_id == user_id).all() self.assertEqual(0, len(keys)) @@ -487,7 +493,7 @@ response.mustcontain('expires: never') response = self.app.post(url('edit_user_api_keys', id=user_id), - {'_method': 'delete', 'del_api_key_builtin': api_key}) + {'_method': 'delete', 'del_api_key_builtin': api_key, '_authentication_token': self.authentication_token()}) self.checkSessionFlash(response, 'Api key successfully reset') response = response.follow() response.mustcontain(no=[api_key])
--- a/kallithea/tests/functional/test_changeset_comments.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/functional/test_changeset_comments.py Tue Apr 07 03:30:05 2015 +0200 @@ -29,7 +29,7 @@ rev = '27cd5cce30c96924232dffcd24178a07ffeb5dfc' text = u'CommentOnRevision' - params = {'text': text} + params = {'text': text, '_authentication_token': self.authentication_token()} response = self.app.post(url(controller='changeset', action='comment', repo_name=HG_REPO, revision=rev), params=params) @@ -66,7 +66,7 @@ f_path = 'vcs/web/simplevcs/views/repository.py' line = 'n1' - params = {'text': text, 'f_path': f_path, 'line': line} + params = {'text': text, 'f_path': f_path, 'line': line, '_authentication_token': self.authentication_token()} response = self.app.post(url(controller='changeset', action='comment', repo_name=HG_REPO, revision=rev), params=params) @@ -106,7 +106,7 @@ rev = '27cd5cce30c96924232dffcd24178a07ffeb5dfc' text = u'@test_regular check CommentOnRevision' - params = {'text':text} + params = {'text': text, '_authentication_token': self.authentication_token()} response = self.app.post(url(controller='changeset', action='comment', repo_name=HG_REPO, revision=rev), params=params) @@ -134,7 +134,7 @@ rev = '27cd5cce30c96924232dffcd24178a07ffeb5dfc' text = u'CommentOnRevision' - params = {'text': text} + params = {'text': text, '_authentication_token': self.authentication_token()} response = self.app.post(url(controller='changeset', action='comment', repo_name=HG_REPO, revision=rev), params=params)
--- a/kallithea/tests/functional/test_files.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/functional/test_files.py Tue Apr 07 03:30:05 2015 +0200 @@ -328,7 +328,8 @@ repo_name=HG_REPO, revision='tip', f_path='/'), params={ - 'content': '' + 'content': '', + '_authentication_token': self.authentication_token(), }, status=302) @@ -340,7 +341,8 @@ repo_name=HG_REPO, revision='tip', f_path='/'), params={ - 'content': "foo" + 'content': "foo", + '_authentication_token': self.authentication_token(), }, status=302) @@ -359,7 +361,8 @@ params={ 'content': "foo", 'filename': filename, - 'location': location + 'location': location, + '_authentication_token': self.authentication_token(), }, status=302) @@ -379,7 +382,8 @@ params={ 'content': "foo", 'filename': filename, - 'location': location + 'location': location, + '_authentication_token': self.authentication_token(), }, status=302) try: @@ -401,7 +405,8 @@ repo_name=GIT_REPO, revision='tip', f_path='/'), params={ - 'content': '' + 'content': '', + '_authentication_token': self.authentication_token(), }, status=302) self.checkSessionFlash(response, 'No content') @@ -412,7 +417,8 @@ repo_name=GIT_REPO, revision='tip', f_path='/'), params={ - 'content': "foo" + 'content': "foo", + '_authentication_token': self.authentication_token(), }, status=302) @@ -431,7 +437,8 @@ params={ 'content': "foo", 'filename': filename, - 'location': location + 'location': location, + '_authentication_token': self.authentication_token(), }, status=302) @@ -451,7 +458,8 @@ params={ 'content': "foo", 'filename': filename, - 'location': location + 'location': location, + '_authentication_token': self.authentication_token(), }, status=302) try: @@ -480,7 +488,8 @@ params={ 'content': "def py():\n print 'hello'\n", 'filename': filename, - 'location': location + 'location': location, + '_authentication_token': self.authentication_token(), }, status=302) response.follow() @@ -510,7 +519,8 @@ params={ 'content': "def py():\n print 'hello'\n", 'filename': filename, - 'location': location + 'location': location, + '_authentication_token': self.authentication_token(), }, status=302) response.follow() @@ -524,6 +534,7 @@ params={ 'content': "def py():\n print 'hello world'\n", 'message': 'i commited', + '_authentication_token': self.authentication_token(), }, status=302) self.checkSessionFlash(response, @@ -551,7 +562,8 @@ params={ 'content': "def py():\n print 'hello'\n", 'filename': filename, - 'location': location + 'location': location, + '_authentication_token': self.authentication_token(), }, status=302) response.follow() @@ -581,7 +593,8 @@ params={ 'content': "def py():\n print 'hello'\n", 'filename': filename, - 'location': location + 'location': location, + '_authentication_token': self.authentication_token(), }, status=302) response.follow() @@ -595,6 +608,7 @@ params={ 'content': "def py():\n print 'hello world'\n", 'message': 'i commited', + '_authentication_token': self.authentication_token(), }, status=302) self.checkSessionFlash(response, @@ -622,7 +636,8 @@ params={ 'content': "def py():\n print 'hello'\n", 'filename': filename, - 'location': location + 'location': location, + '_authentication_token': self.authentication_token(), }, status=302) response.follow() @@ -652,7 +667,8 @@ params={ 'content': "def py():\n print 'hello'\n", 'filename': filename, - 'location': location + 'location': location, + '_authentication_token': self.authentication_token(), }, status=302) response.follow() @@ -665,6 +681,7 @@ f_path='vcs/nodes.py'), params={ 'message': 'i commited', + '_authentication_token': self.authentication_token(), }, status=302) self.checkSessionFlash(response, @@ -692,7 +709,8 @@ params={ 'content': "def py():\n print 'hello'\n", 'filename': filename, - 'location': location + 'location': location, + '_authentication_token': self.authentication_token(), }, status=302) response.follow() @@ -722,7 +740,8 @@ params={ 'content': "def py():\n print 'hello'\n", 'filename': filename, - 'location': location + 'location': location, + '_authentication_token': self.authentication_token(), }, status=302) response.follow() @@ -735,6 +754,7 @@ f_path='vcs/nodes.py'), params={ 'message': 'i commited', + '_authentication_token': self.authentication_token(), }, status=302) self.checkSessionFlash(response,
--- a/kallithea/tests/functional/test_forks.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/functional/test_forks.py Tue Apr 07 03:30:05 2015 +0200 @@ -60,7 +60,7 @@ # try create a fork repo_name = self.REPO self.app.post(url(controller='forks', action='fork_create', - repo_name=repo_name), {}, status=403) + repo_name=repo_name), {'_authentication_token': self.authentication_token()}, status=403) def test_index_with_fork(self): self.log_user() @@ -77,7 +77,8 @@ 'repo_type': self.REPO_TYPE, 'description': description, 'private': 'False', - 'landing_rev': 'rev:tip'} + 'landing_rev': 'rev:tip', + '_authentication_token': self.authentication_token()} self.app.post(url(controller='forks', action='fork_create', repo_name=repo_name), creation_args) @@ -108,7 +109,8 @@ 'repo_type': self.REPO_TYPE, 'description': description, 'private': 'False', - 'landing_rev': 'rev:tip'} + 'landing_rev': 'rev:tip', + '_authentication_token': self.authentication_token()} self.app.post(url(controller='forks', action='fork_create', repo_name=repo_name), creation_args) repo = Repository.get_by_repo_name(fork_name_full) @@ -150,7 +152,8 @@ 'repo_type': self.REPO_TYPE, 'description': description, 'private': 'False', - 'landing_rev': 'rev:tip'} + 'landing_rev': 'rev:tip', + '_authentication_token': self.authentication_token()} self.app.post(url(controller='forks', action='fork_create', repo_name=repo_name), creation_args) repo = Repository.get_by_repo_name(self.REPO_FORK)
--- a/kallithea/tests/functional/test_my_account.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/tests/functional/test_my_account.py Tue Apr 07 03:30:05 2015 +0200 @@ -50,7 +50,7 @@ response = self.app.get(url('my_account_emails')) response.mustcontain('No additional emails specified') response = self.app.post(url('my_account_emails'), - {'new_email': TEST_USER_REGULAR_EMAIL}) + {'new_email': TEST_USER_REGULAR_EMAIL, '_authentication_token': self.authentication_token()}) self.checkSessionFlash(response, 'This e-mail address is already taken') def test_my_account_my_emails_add_mising_email_in_form(self): @@ -66,7 +66,7 @@ response.mustcontain('No additional emails specified') response = self.app.post(url('my_account_emails'), - {'new_email': 'foo@barz.com'}) + {'new_email': 'foo@barz.com', '_authentication_token': self.authentication_token()}) response = self.app.get(url('my_account_emails')) @@ -79,7 +79,7 @@ response.mustcontain('<input id="del_email_id" name="del_email_id" type="hidden" value="%s" />' % email_id) response = self.app.post(url('my_account_emails'), - {'del_email_id': email_id, '_method': 'delete'}) + {'del_email_id': email_id, '_method': 'delete', '_authentication_token': self.authentication_token()}) self.checkSessionFlash(response, 'Removed email from user') response = self.app.get(url('my_account_emails')) response.mustcontain('No additional emails specified') @@ -114,6 +114,7 @@ params.update({'new_password': ''}) params.update({'extern_type': 'internal'}) params.update({'extern_name': self.test_user_1}) + params.update({'_authentication_token': self.authentication_token()}) params.update(attrs) response = self.app.post(url('my_account'), params) @@ -142,6 +143,7 @@ #my account cannot make you an admin ! params['admin'] = False + params.pop('_authentication_token') self.assertEqual(params, updated_params) def test_my_account_update_err_email_exists(self): @@ -155,7 +157,8 @@ password_confirmation='test122', firstname='NewName', lastname='NewLastname', - email=new_email,) + email=new_email, + _authentication_token=self.authentication_token()) ) response.mustcontain('This e-mail address is already taken') @@ -171,7 +174,8 @@ password_confirmation='test122', firstname='NewName', lastname='NewLastname', - email=new_email,)) + email=new_email, + _authentication_token=self.authentication_token())) response.mustcontain('An email address must contain a single @') from kallithea.model import validators @@ -196,7 +200,7 @@ usr = self.log_user('test_regular2', 'test12') user = User.get(usr['user_id']) response = self.app.post(url('my_account_api_keys'), - {'description': desc, 'lifetime': lifetime}) + {'description': desc, 'lifetime': lifetime, '_authentication_token': self.authentication_token()}) self.checkSessionFlash(response, 'Api key successfully created') try: response = response.follow() @@ -212,7 +216,7 @@ usr = self.log_user('test_regular2', 'test12') user = User.get(usr['user_id']) response = self.app.post(url('my_account_api_keys'), - {'description': 'desc', 'lifetime': -1}) + {'description': 'desc', 'lifetime': -1, '_authentication_token': self.authentication_token()}) self.checkSessionFlash(response, 'Api key successfully created') response = response.follow() @@ -221,7 +225,7 @@ self.assertEqual(1, len(keys)) response = self.app.post(url('my_account_api_keys'), - {'_method': 'delete', 'del_api_key': keys[0].api_key}) + {'_method': 'delete', 'del_api_key': keys[0].api_key, '_authentication_token': self.authentication_token()}) self.checkSessionFlash(response, 'Api key successfully deleted') keys = UserApiKeys.query().all() self.assertEqual(0, len(keys)) @@ -236,7 +240,7 @@ response.mustcontain('expires: never') response = self.app.post(url('my_account_api_keys'), - {'_method': 'delete', 'del_api_key_builtin': api_key}) + {'_method': 'delete', 'del_api_key_builtin': api_key, '_authentication_token': self.authentication_token()}) self.checkSessionFlash(response, 'Api key successfully reset') response = response.follow() response.mustcontain(no=[api_key])