Mercurial > p > roundup > code

annotate test/test_userauditor.py @ 4880:ca692423e401

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Different approach to fix XSS in issue2550817 Encapsulate the error/ok message append method as add_ok_message and add_error_message. The new approach escapes the messages when appending -- at a point in the code where we still know where the message comes from. Escaping is the default but can bei turned off. This also fixes issue2550836 where certain messages may contain links. Another advantage of the new fix is that users don't need to change installed trackers and are secure by default.
author Ralf Schlatterbeck <rsc@runtux.com>
date Mon, 31 Mar 2014 18:19:23 +0200
parents 6e9b9743de89
children 380d8d8b30a3
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3873
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
1 import os, unittest, shutil
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
2 from db_test_base import setupTracker
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
3
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
4 class UserAuditorTest(unittest.TestCase):
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
5 def setUp(self):
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
6 self.dirname = '_test_user_auditor'
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
7 self.instance = setupTracker(self.dirname)
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
8 self.db = self.instance.open('admin')
4781
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents: 4570
diff changeset
9 self.db.tx_Source = "cli"
3873
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
10
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
11 try:
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
12 import pytz
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
13 self.pytz = True
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
14 except ImportError:
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
15 self.pytz = False
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
16
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
17 self.db.user.create(username='kyle', address='kyle@example.com',
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
18 realname='Kyle Broflovski', roles='User')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
19
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
20 def tearDown(self):
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
21 self.db.close()
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
22 try:
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
23 shutil.rmtree(self.dirname)
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
24 except OSError, error:
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
25 if error.errno not in (errno.ENOENT, errno.ESRCH): raise
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
26
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
27 def testBadTimezones(self):
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
28 self.assertRaises(ValueError, self.db.user.create, username='eric', timezone='24')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
29
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
30 userid = self.db.user.lookup('kyle')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
31
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
32 self.assertRaises(ValueError, self.db.user.set, userid, timezone='3000')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
33 self.assertRaises(ValueError, self.db.user.set, userid, timezone='24')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
34 self.assertRaises(ValueError, self.db.user.set, userid, timezone='-24')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
35 self.assertRaises(ValueError, self.db.user.set, userid, timezone='-3000')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
36
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
37 if self.pytz:
4087
1d0d1921f083 Adjust to interface change in pytz.
Stefan Seefeld <stefan@seefeld.name>
parents: 3902
diff changeset
38 try:
1d0d1921f083 Adjust to interface change in pytz.
Stefan Seefeld <stefan@seefeld.name>
parents: 3902
diff changeset
39 from pytz import UnknownTimeZoneError
1d0d1921f083 Adjust to interface change in pytz.
Stefan Seefeld <stefan@seefeld.name>
parents: 3902
diff changeset
40 except:
1d0d1921f083 Adjust to interface change in pytz.
Stefan Seefeld <stefan@seefeld.name>
parents: 3902
diff changeset
41 UnknownTimeZoneError = ValueError
1d0d1921f083 Adjust to interface change in pytz.
Stefan Seefeld <stefan@seefeld.name>
parents: 3902
diff changeset
42 self.assertRaises(UnknownTimeZoneError, self.db.user.set, userid, timezone='MiddleOf/Nowhere')
3873
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
43
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
44 def testGoodTimezones(self):
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
45 self.db.user.create(username='test_user01', timezone='12')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
46
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
47 if self.pytz:
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
48 self.db.user.create(username='test_user02', timezone='MST')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
49
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
50 userid = self.db.user.lookup('kyle')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
51
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
52 # TODO: roundup should accept non-integer offsets since those are valid
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
53 # this is the offset for Tehran, Iran
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
54 #self.db.user.set(userid, timezone='3.5')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
55
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
56 self.db.user.set(userid, timezone='-23')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
57 self.db.user.set(userid, timezone='23')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
58 self.db.user.set(userid, timezone='0')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
59
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
60 if self.pytz:
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
61 self.db.user.set(userid, timezone='US/Eastern')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
62
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
63 def testBadEmailAddresses(self):
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
64 userid = self.db.user.lookup('kyle')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
65 self.assertRaises(ValueError, self.db.user.set, userid, address='kyle @ example.com')
3902
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
66 self.assertRaises(ValueError, self.db.user.set, userid, address='one@example.com,two@example.com')
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
67 self.assertRaises(ValueError, self.db.user.set, userid, address='weird@@example.com')
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
68 self.assertRaises(ValueError, self.db.user.set, userid, address='embedded\nnewline@example.com')
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
69 # verify that we check alternates as well
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
70 self.assertRaises(ValueError, self.db.user.set, userid, alternate_addresses='kyle @ example.com')
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
71 # make sure we accept local style addresses
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
72 self.db.user.set(userid, address='kyle')
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
73 # verify we are case insensitive
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
74 self.db.user.set(userid, address='kyle@EXAMPLE.COM')
3873
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
75
3888
4fcf7a52767e fix [SF#611787]: ensure unique email addresses
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3874
diff changeset
76 def testUniqueEmailAddresses(self):
3902
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
77 self.db.user.create(username='kenny', address='kenny@example.com', alternate_addresses='sp_ken@example.com')
3888
4fcf7a52767e fix [SF#611787]: ensure unique email addresses
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3874
diff changeset
78 self.assertRaises(ValueError, self.db.user.create, username='test_user01', address='kenny@example.com')
4fcf7a52767e fix [SF#611787]: ensure unique email addresses
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3874
diff changeset
79 uid = self.db.user.create(username='eric', address='eric@example.com')
4fcf7a52767e fix [SF#611787]: ensure unique email addresses
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3874
diff changeset
80 self.assertRaises(ValueError, self.db.user.set, uid, address='kenny@example.com')
4fcf7a52767e fix [SF#611787]: ensure unique email addresses
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3874
diff changeset
81
3902
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
82 # make sure we check alternates
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
83 self.assertRaises(ValueError, self.db.user.set, uid, address='kenny@example.com')
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
84 self.assertRaises(ValueError, self.db.user.set, uid, address='sp_ken@example.com')
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
85 self.assertRaises(ValueError, self.db.user.set, uid, alternate_addresses='kenny@example.com')
21420ba64b0d fuller email validition (request [SF#216291])
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3888
diff changeset
86
3873
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
87 def testBadRoles(self):
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
88 userid = self.db.user.lookup('kyle')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
89 self.assertRaises(ValueError, self.db.user.set, userid, roles='BadRole')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
90 self.assertRaises(ValueError, self.db.user.set, userid, roles='User,BadRole')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
91
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
92 def testGoodRoles(self):
3874
4c8d853017f2 strip rolename & fix rolename unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3873
diff changeset
93 userid = self.db.user.lookup('kyle')
3873
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
94 # make sure we handle commas in weird places
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
95 self.db.user.set(userid, roles='User,')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
96 self.db.user.set(userid, roles=',User')
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
97 # make sure we strip whitespace
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
98 self.db.user.set(userid, roles=' User ')
3874
4c8d853017f2 strip rolename & fix rolename unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3873
diff changeset
99 # check for all-whitespace (treat as no role)
4c8d853017f2 strip rolename & fix rolename unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents: 3873
diff changeset
100 self.db.user.set(userid, roles=' ')
3873
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
101
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
102 def test_suite():
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
103 suite = unittest.TestSuite()
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
104 suite.addTest(unittest.makeSuite(UserAuditorTest))
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
105 return suite
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
106
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
107 if __name__ == '__main__':
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
108 runner = unittest.TextTestRunner()
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
109 unittest.main(testRunner=runner)
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
110
4d1928ce993e more small userauditor changes and a unittest
Justus Pendleton <jpend@users.sourceforge.net>
parents:
diff changeset
111 # vim: filetype=python sts=4 sw=4 et si
Roundup Issue Tracker: http://roundup-tracker.org/