272 |
272 |
273 |
273 |
274 def _test_cleaned(self, kwargs, injected, cleaned): |
274 def _test_cleaned(self, kwargs, injected, cleaned): |
275 req = self.request(**kwargs) |
275 req = self.request(**kwargs) |
276 page = self.app.publish('view', req) |
276 page = self.app.publish('view', req) |
277 self.failIf(injected in page, (kwargs, injected)) |
277 self.assertFalse(injected in page, (kwargs, injected)) |
278 self.failUnless(cleaned in page, (kwargs, cleaned)) |
278 self.assertTrue(cleaned in page, (kwargs, cleaned)) |
279 |
279 |
280 def test_nonregr_script_kiddies(self): |
280 def test_nonregr_script_kiddies(self): |
281 """test against current script injection""" |
281 """test against current script injection""" |
282 injected = '<i>toto</i>' |
282 injected = '<i>toto</i>' |
283 cleaned = 'toto' |
283 cleaned = 'toto' |
319 self.login('anon') |
319 self.login('anon') |
320 req = self.request() |
320 req = self.request() |
321 origcnx = req.cnx |
321 origcnx = req.cnx |
322 req.form['__fblogin'] = u'turlututu' |
322 req.form['__fblogin'] = u'turlututu' |
323 page = self.app_publish(req) |
323 page = self.app_publish(req) |
324 self.failIf(req.cnx is origcnx) |
324 self.assertFalse(req.cnx is origcnx) |
325 self.assertEqual(req.user.login, 'turlututu') |
325 self.assertEqual(req.user.login, 'turlututu') |
326 self.failUnless('turlututu' in page, page) |
326 self.assertTrue('turlututu' in page, page) |
327 req.cnx.close() # avoid warning |
327 req.cnx.close() # avoid warning |
328 |
328 |
329 # authentication tests #################################################### |
329 # authentication tests #################################################### |
330 |
330 |
331 def test_http_auth_no_anon(self): |
331 def test_http_auth_no_anon(self): |
341 |
341 |
342 def test_cookie_auth_no_anon(self): |
342 def test_cookie_auth_no_anon(self): |
343 req, origsession = self.init_authentication('cookie') |
343 req, origsession = self.init_authentication('cookie') |
344 self.assertAuthFailure(req) |
344 self.assertAuthFailure(req) |
345 form = self.app_publish(req, 'login') |
345 form = self.app_publish(req, 'login') |
346 self.failUnless('__login' in form) |
346 self.assertTrue('__login' in form) |
347 self.failUnless('__password' in form) |
347 self.assertTrue('__password' in form) |
348 self.assertEqual(req.cnx, None) |
348 self.assertEqual(req.cnx, None) |
349 req.form['__login'] = self.admlogin |
349 req.form['__login'] = self.admlogin |
350 req.form['__password'] = self.admpassword |
350 req.form['__password'] = self.admpassword |
351 self.assertAuthSuccess(req, origsession) |
351 self.assertAuthSuccess(req, origsession) |
352 self.assertRaises(LogOut, self.app_publish, req, 'logout') |
352 self.assertRaises(LogOut, self.app_publish, req, 'logout') |
387 def _test_auth_anon(self, req): |
387 def _test_auth_anon(self, req): |
388 self.app.connect(req) |
388 self.app.connect(req) |
389 asession = req.session |
389 asession = req.session |
390 self.assertEqual(len(self.open_sessions), 1) |
390 self.assertEqual(len(self.open_sessions), 1) |
391 self.assertEqual(asession.login, 'anon') |
391 self.assertEqual(asession.login, 'anon') |
392 self.failUnless(asession.anonymous_session) |
392 self.assertTrue(asession.anonymous_session) |
393 self._reset_cookie(req) |
393 self._reset_cookie(req) |
394 |
394 |
395 def _test_anon_auth_fail(self, req): |
395 def _test_anon_auth_fail(self, req): |
396 self.assertEqual(len(self.open_sessions), 1) |
396 self.assertEqual(len(self.open_sessions), 1) |
397 self.app.connect(req) |
397 self.app.connect(req) |