Mercurial > p > roundup > code

comparison test/test_cgi.py @ 4088:34434785f308

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Plug a number of security holes: - EditCSV and ExportCSV altered to include permission checks - HTTP POST required on actions which alter data - HTML file uploads served as application/octet-stream - New item action reject creation of new users - Item retirement was not being controlled Additionally include documentation of the changes and modify affected tests.
author Richard Jones <richard@users.sourceforge.net>
date Thu, 12 Mar 2009 02:25:03 +0000
parents efcea2fe69be
children 6441ffe588f7
comparison
equal deleted inserted replaced
4087:1d0d1921f083 4088:34434785f308
83 classes = '|'.join(self.db.classes.keys()) 83 classes = '|'.join(self.db.classes.keys())
84 self.FV_SPECIAL = re.compile(FormParser.FV_LABELS%classes, 84 self.FV_SPECIAL = re.compile(FormParser.FV_LABELS%classes,
85 re.VERBOSE) 85 re.VERBOSE)
86 86
87 def parseForm(self, form, classname='test', nodeid=None): 87 def parseForm(self, form, classname='test', nodeid=None):
88 cl = client.Client(self.instance, None, {'PATH_INFO':'/'}, 88 cl = client.Client(self.instance, None, {'PATH_INFO':'/',
89 makeForm(form)) 89 'REQUEST_METHOD':'POST'}, makeForm(form))
90 cl.classname = classname 90 cl.classname = classname
91 cl.nodeid = nodeid 91 cl.nodeid = nodeid
92 cl.language = ('en',) 92 cl.language = ('en',)
93 cl.db = self.db 93 cl.db = self.db
94 return cl.parsePropsFromForm(create=1) 94 return cl.parsePropsFromForm(create=1)
613 # 613 #
614 # SECURITY 614 # SECURITY
615 # 615 #
616 # XXX test all default permissions 616 # XXX test all default permissions
617 def _make_client(self, form, classname='user', nodeid='2', userid='2'): 617 def _make_client(self, form, classname='user', nodeid='2', userid='2'):
618 cl = client.Client(self.instance, None, {'PATH_INFO':'/'}, 618 cl = client.Client(self.instance, None, {'PATH_INFO':'/',
619 makeForm(form)) 619 'REQUEST_METHOD':'POST'}, makeForm(form))
620 cl.classname = 'user' 620 cl.classname = 'user'
621 cl.nodeid = '1' 621 cl.nodeid = '1'
622 cl.db = self.db 622 cl.db = self.db
623 cl.userid = '2' 623 cl.userid = '2'
624 cl.language = ('en',) 624 cl.language = ('en',)
Roundup Issue Tracker: http://roundup-tracker.org/