improve REST interface security When using REST, we reflect the client's origin. If the wildcard '*' is used in allowed_api_origins all origins are allowed. When this is done, it also added an 'Access-Control-Allow-Credentials: true' header. This Credentials header should not be added if the site is matched only by '*'. This header should be provided only for explicit origins (e.g. https://example.org) not for the wildcard. This is now fixed for CORS preflight OPTIONS request as well as normal GET, PUT, DELETE, POST, PATCH and OPTIONS requests. A missing Access-Control-Allow-Credentials will prevent the tracker from being accessed using credentials. This prevents an unauthorized third party web site from using a user's credentials to access information in the tracker that is not publicly available. Added test for this specific case. In addition, allowed_api_origins can include explicit origins in addition to '*'. '*' must be first in the list. Also adapted numerous tests to work with these changes. Doc updates.

#-*- encoding: utf-8 -*-

import unittest, os, pprint, difflib, textwrap

from roundup.init import loadTemplateInfo


class TemplateInfoTestCase(unittest.TestCase):
    def testLoadTemplateInfo(self):
        path = os.path.join(os.path.dirname(__file__),
                            '../share/roundup/templates/classic')
        self.maxDiff = None
        self.assertEqual(
            loadTemplateInfo(path),
            {
              'description': textwrap.dedent('''\
                   This is a generic issue tracker that may be used to track bugs,
                                feature requests, project issues or any number of other types
                                of issues. Most users of Roundup will find that this template
                                suits them, with perhaps a few customisations.'''),
              'intended-for': 'All first-time Roundup users',
              'name': 'classic',
              'path': path
            }
        )

# vim: set et sts=4 sw=4 :