Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

More tests for the other half of CsrfMiddleware

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9552 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 01ec6d00853481deeb712a4b0819e1a2c2ed985f 1 parent f7242bb
Luke Plant authored December 02, 2008

Showing 1 changed file with 49 additions and 7 deletions. Show diff stats Hide diff stats

  1. 56  django/contrib/csrf/tests.py
56  django/contrib/csrf/tests.py
... ...
@@ -1,7 +1,7 @@
1 1
 # -*- coding: utf-8 -*-
2 2
 
3 3
 from django.test import TestCase
4  
-from django.http import HttpRequest, HttpResponse
  4
+from django.http import HttpRequest, HttpResponse, HttpResponseForbidden
5 5
 from django.contrib.csrf.middleware import CsrfMiddleware, _make_token
6 6
 from django.conf import settings
7 7
 
@@ -9,14 +9,29 @@ class CsrfMiddlewareTest(TestCase):
9 9
 
10 10
     _session_id = "1"
11 11
 
12  
-    def _get_no_session_request(self):
  12
+    def _get_GET_no_session_request(self):
13 13
         return HttpRequest()
14 14
 
15  
-    def _get_session_request(self):
16  
-        req = self._get_no_session_request()
  15
+    def _get_GET_session_request(self):
  16
+        req = self._get_GET_no_session_request()
17 17
         req.COOKIES[settings.SESSION_COOKIE_NAME] = self._session_id
18 18
         return req
19 19
 
  20
+    def _get_POST_session_request(self):
  21
+        req = self._get_GET_session_request()
  22
+        req.method = "POST"
  23
+        return req
  24
+
  25
+    def _get_POST_no_session_request(self):
  26
+        req = self._get_GET_no_session_request()
  27
+        req.method = "POST"
  28
+        return req
  29
+
  30
+    def _get_POST_session_request_with_token(self):
  31
+        req = self._get_POST_session_request()
  32
+        req.POST['csrfmiddlewaretoken'] = _make_token(self._session_id)
  33
+        return req
  34
+
20 35
     def _get_post_form_response(self):
21 36
         resp = HttpResponse(content="""
22 37
 <html><body><form method="POST"><input type="text" /></form></body></html>
@@ -31,11 +46,12 @@ def _get_new_session_response(self):
31 46
     def _check_token_present(self, response):
32 47
         self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % _make_token(self._session_id))
33 48
 
  49
+    # Check the post processing
34 50
     def test_process_response_no_session(self):
35 51
         """
36 52
         Check the the post-processor does nothing if no session active
37 53
         """
38  
-        req = self._get_no_session_request()
  54
+        req = self._get_GET_no_session_request()
39 55
         resp = self._get_post_form_response()
40 56
         resp_content = resp.content
41 57
         resp2 = CsrfMiddleware().process_response(req, resp)
@@ -45,7 +61,7 @@ def test_process_response_existing_session(self):
45 61
         """
46 62
         Check that the token is inserted if there is an existing session
47 63
         """
48  
-        req = self._get_session_request()
  64
+        req = self._get_GET_session_request()
49 65
         resp = self._get_post_form_response()
50 66
         resp_content = resp.content
51 67
         resp2 = CsrfMiddleware().process_response(req, resp)
@@ -56,9 +72,35 @@ def test_process_response_new_session(self):
56 72
         """
57 73
         Check that the token is inserted if there is a new session being started
58 74
         """
59  
-        req = self._get_no_session_request() # no session in request
  75
+        req = self._get_GET_no_session_request() # no session in request
60 76
         resp = self._get_new_session_response() # but new session started
61 77
         resp_content = resp.content
62 78
         resp2 = CsrfMiddleware().process_response(req, resp)
63 79
         self.assertNotEqual(resp_content, resp2.content)
64 80
         self._check_token_present(resp2)
  81
+
  82
+    # Check the request processing
  83
+    def test_process_request_no_session(self):
  84
+        """
  85
+        Check that if no session is present, the middleware does nothing.
  86
+        to the incoming request.
  87
+        """
  88
+        req = self._get_POST_no_session_request()
  89
+        req2 = CsrfMiddleware().process_request(req)
  90
+        self.assertEquals(None, req2)
  91
+
  92
+    def test_process_request_session_no_token(self):
  93
+        """
  94
+        Check that if a session is present but no token, we get a 'forbidden'
  95
+        """
  96
+        req = self._get_POST_session_request()
  97
+        req2 = CsrfMiddleware().process_request(req)
  98
+        self.assertEquals(HttpResponseForbidden, req2.__class__)
  99
+
  100
+    def test_process_request_session_and_token(self):
  101
+        """
  102
+        Check that if a session is present and a token, the middleware lets it through
  103
+        """
  104
+        req = self._get_POST_session_request_with_token()
  105
+        req2 = CsrfMiddleware().process_request(req)
  106
+        self.assertEquals(None, req2)

0 notes on commit 01ec6d0

Please sign in to comment.
Something went wrong with that request. Please try again.