265 self.assertEqual(forminfo['values'], req.form) |
265 self.assertEqual(forminfo['values'], req.form) |
266 |
266 |
267 |
267 |
268 def _test_cleaned(self, kwargs, injected, cleaned): |
268 def _test_cleaned(self, kwargs, injected, cleaned): |
269 req = self.request(**kwargs) |
269 req = self.request(**kwargs) |
270 page = self.app.handle_request(req, 'view') |
270 page = self.app_handle_request(req, 'view') |
271 self.assertFalse(injected in page, (kwargs, injected)) |
271 self.assertNotIn(injected, page) |
272 self.assertTrue(cleaned in page, (kwargs, cleaned)) |
272 self.assertIn(cleaned, page) |
273 |
273 |
274 def test_nonregr_script_kiddies(self): |
274 def test_nonregr_script_kiddies(self): |
275 """test against current script injection""" |
275 """test against current script injection""" |
276 injected = '<i>toto</i>' |
276 injected = '<i>toto</i>' |
277 cleaned = 'toto' |
277 cleaned = 'toto' |
317 # authentication tests #################################################### |
317 # authentication tests #################################################### |
318 |
318 |
319 def test_http_auth_no_anon(self): |
319 def test_http_auth_no_anon(self): |
320 req, origsession = self.init_authentication('http') |
320 req, origsession = self.init_authentication('http') |
321 self.assertAuthFailure(req) |
321 self.assertAuthFailure(req) |
322 self.assertRaises(AuthenticationError, self.app_handle_request, req, 'login') |
322 self.app.handle_request(req, 'login') |
323 self.assertEqual(req.cnx, None) |
323 self.assertEqual(401, req.status_out) |
|
324 clear_cache(req, 'get_authorization') |
324 authstr = base64.encodestring('%s:%s' % (self.admlogin, self.admpassword)) |
325 authstr = base64.encodestring('%s:%s' % (self.admlogin, self.admpassword)) |
325 req.set_request_header('Authorization', 'basic %s' % authstr) |
326 req.set_request_header('Authorization', 'basic %s' % authstr) |
326 self.assertAuthSuccess(req, origsession) |
327 self.assertAuthSuccess(req, origsession) |
327 self.assertRaises(LogOut, self.app_handle_request, req, 'logout') |
328 self.assertRaises(LogOut, self.app_handle_request, req, 'logout') |
328 self.assertEqual(len(self.open_sessions), 0) |
329 self.assertEqual(len(self.open_sessions), 0) |
329 |
330 |
330 def test_cookie_auth_no_anon(self): |
331 def test_cookie_auth_no_anon(self): |
331 req, origsession = self.init_authentication('cookie') |
332 req, origsession = self.init_authentication('cookie') |
332 self.assertAuthFailure(req) |
333 self.assertAuthFailure(req) |
333 try: |
334 try: |
334 form = self.app_handle_request(req, 'login') |
335 form = self.app.handle_request(req, 'login') |
335 except Redirect as redir: |
336 except Redirect as redir: |
336 self.fail('anonymous user should get login form') |
337 self.fail('anonymous user should get login form') |
|
338 clear_cache(req, 'get_authorization') |
337 self.assertTrue('__login' in form) |
339 self.assertTrue('__login' in form) |
338 self.assertTrue('__password' in form) |
340 self.assertTrue('__password' in form) |
339 self.assertEqual(req.cnx, None) |
341 self.assertEqual(req.cnx, None) |
340 req.form['__login'] = self.admlogin |
342 req.form['__login'] = self.admlogin |
341 req.form['__password'] = self.admpassword |
343 req.form['__password'] = self.admpassword |