Mercurial > p > roundup > code

view test/test_jinja2.py @ 8265:35beff316883

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix(api): issue2551384. Verify REST authorization earlier To reduce the ability of bad actors to spam (DOS) the REST endpoint with bad data and generate logs meant for debugging, modify the flow in client.py's REST handler to verify authorization earlier. If the anonymous user is allowed to use REST, this won't make a difference for a DOS attempt. The templates don't enable REST for the anonymous user by default. Most admins don't change this. The validation order for REST requests has been changed. CORS identfied an handled User authorization to use REST (return 403 on failure) REST request validated (Origin header valid etc.) (return 400 for bad request) Incorrectly formatted CORS preflight requests (e.g. missing Origin header) that are not recogized as a CORS request can now return HTTP status 403 as well as status 400 (when anonymous is allowed access). Note all CORS preflights are sent without authentication so appear as anonymous requests. The tests were updated to compensate, but it is not obvious to me from specs what the proper evaulation order/return codes should be for this case. Both 403/400 are failures and cause CORS to fail so there should be no difference but...
author John Rouillard <rouilj@ieee.org>
date Thu, 09 Jan 2025 09:30:08 -0500
parents d26921b851c3
children
line wrap: on
line source

#-*- encoding: utf-8 -*-
""" Testing the jinja2 templating engine of roundup-tracker.

Copyright: 2016 Intevation GmbH.
Author: Bernhard E. Reiter <bernhard@intevation.de>

This module is Free Software under the Roundup licensing of 1.5,
see the COPYING.txt file coming with Roundup.

Just a test file template for now.
"""
import shutil # only, needed for tearDown. TODO: Remove when refactored.
import unittest

from . import db_test_base

TESTSUITE_IDENTIFIER='jinja2'

class TestCase_Zero(unittest.TestCase):
    def test_zero(self):
        self.assertEqual(True, True)


class Jinja2Test(object):
    """Sets up and tears down an instance with database contents.

    Setup and teardown modelled after the use of db_test_base
    by several modules like test_xmlrpc and test_userauditor.

    TODO: Should probably be moved to a base case in db_test_base.py.
    """

    backend = None  # can be used to create tests per backend, see test_xmlrpc

    def setUp(self):
        self.dirname = '_test_' + TESTSUITE_IDENTIFIER
        self.instance = db_test_base.setupTracker(self.dirname, self.backend)
        self.db = self.instance.open('admin')

    def tearDown(self):
        self.db.close()
        try:
            shutil.rmtree(self.dirname)
        except OSError as error:
            if error.errno not in (errno.ENOENT, errno.ESRCH): raise

    def test_zero(self):
        """Do nothing just make sure that setup and teardown works."""
        pass


# only using one database backend for now, not sure if doing all
# backends will keep the test focussed enough to be useful for the used
# computing time. Would be okay to change in the future.
class anydbmJinja2Test(Jinja2Test, unittest.TestCase):
    backend = 'anydbm'

# vim: ts=4 et sts=4 sw=4 ai :
Roundup Issue Tracker: http://roundup-tracker.org/