Mercurial > p > roundup > code
view test/test_anypy.py @ 7155:89a59e46b3af
improve REST interface security
When using REST, we reflect the client's origin. If the wildcard '*'
is used in allowed_api_origins all origins are allowed. When this is
done, it also added an 'Access-Control-Allow-Credentials: true'
header.
This Credentials header should not be added if the site is matched
only by '*'. This header should be provided only for explicit origins
(e.g. https://example.org) not for the wildcard.
This is now fixed for CORS preflight OPTIONS request as well as normal
GET, PUT, DELETE, POST, PATCH and OPTIONS requests.
A missing Access-Control-Allow-Credentials will prevent the tracker
from being accessed using credentials. This prevents an unauthorized
third party web site from using a user's credentials to access
information in the tracker that is not publicly available.
Added test for this specific case.
In addition, allowed_api_origins can include explicit origins in
addition to '*'. '*' must be first in the list.
Also adapted numerous tests to work with these changes.
Doc updates.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Feb 2023 12:01:33 -0500 |
| parents | e4db9d0b85c7 |
| children | c65e0a725c88 |
line wrap: on
line source
"""Random tests for anypy modules""" import unittest from roundup.anypy.strings import repr_export, eval_import import sys _py3 = sys.version_info[0] > 2 class StringsTest(unittest.TestCase): def test_import_params(self): """ issue2551170 - handle long int in history/journal params tuple """ # python2 export with id as number val = eval_import("('issue', 2345L, 'status')") self.assertSequenceEqual(val, ('issue', 2345, 'status')) # python3 export with id as number val = eval_import("('issue', 2345, 'status')") self.assertSequenceEqual(val, ('issue', 2345, 'status')) # python2 or python3 export with id as string val = eval_import("('issue', '2345', 'status')") self.assertSequenceEqual(val, ('issue', '2345', 'status')) def test_export_params(self): """ issue2551170 - handle long int in history/journal params tuple """ # python2 export with id as number if _py3: val = repr_export(('issue', 2345, 'status')) self.assertEqual(val, "('issue', 2345, 'status')") else: val = repr_export(('issue', long(2345), 'status')) self.assertEqual(val, "('issue', 2345L, 'status')") # python2 or python3 export with id as string val = repr_export(('issue', '2345', 'status')) self.assertEqual(val, "('issue', '2345', 'status')")