Merge remote-tracking branch 'refs/remotes/tilly-q/ticket-874' into mergetest

[mediagoblin.git] / mediagoblin / tests / test_csrf_middleware.py

diff --git a/mediagoblin/tests/test_csrf_middleware.py b/mediagoblin/tests/test_csrf_middleware.py
index 691f10b994701796c7e458120aabf29b4653284f..a272caf69997d2d21035328d6dd23419488b3429 100644 (file)
--- a/mediagoblin/tests/test_csrf_middleware.py
+++ b/mediagoblin/tests/test_csrf_middleware.py
@@ -1,5 +1,5 @@
 # GNU MediaGoblin -- federated, autonomous media hosting
-# Copyright (C) 2011 MediaGoblin contributors.  See AUTHORS.
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
@@ -14,20 +14,12 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import urlparse
-import datetime
-
-from nose.tools import assert_equal
-
-from mediagoblin.tests.tools import setup_fresh_app
 from mediagoblin import mg_globals
 
 
-@setup_fresh_app
 def test_csrf_cookie_set(test_app):
-
     cookie_name = mg_globals.app_config['csrf_cookie_name']
-    
+
     # get login page
     response = test_app.get('/auth/login/')
 
@@ -39,7 +31,13 @@ def test_csrf_cookie_set(test_app):
     assert response.headers.get('Vary', False) == 'Cookie'
 
 
-@setup_fresh_app
+# We need a fresh app for this test on webtest < 1.3.6.
+# We do not understand why, but it fixes the tests.
+# If we require webtest >= 1.3.6, we can switch to a non fresh app here.
+# 
+# ... this comment might be irrelevant post-pytest-fixtures, but I'm not
+# removing it yet in case we move to module-level tests :)
+#   -- cwebber
 def test_csrf_token_must_match(test_app):
 
     # construct a request with no cookie or form token
@@ -49,7 +47,7 @@ def test_csrf_token_must_match(test_app):
 
     # construct a request with a cookie, but no form token
     assert test_app.post('/auth/login/',
-                         headers={'Cookie': str('%s=foo; ' %
+                         headers={'Cookie': str('%s=foo' %
                                   mg_globals.app_config['csrf_cookie_name'])},
                          extra_environ={'gmg.verify_csrf': True},
                          expect_errors=True).status_int == 403
@@ -57,7 +55,7 @@ def test_csrf_token_must_match(test_app):
     # if both the cookie and form token are provided, they must match
     assert test_app.post('/auth/login/',
                          {'csrf_token': 'blarf'},
-                         headers={'Cookie': str('%s=foo; ' %
+                         headers={'Cookie': str('%s=foo' %
                                   mg_globals.app_config['csrf_cookie_name'])},
                          extra_environ={'gmg.verify_csrf': True},
                          expect_errors=True).\
@@ -65,7 +63,24 @@ def test_csrf_token_must_match(test_app):
 
     assert test_app.post('/auth/login/',
                          {'csrf_token': 'foo'},
-                         headers={'Cookie': str('%s=foo; ' %
+                         headers={'Cookie': str('%s=foo' %
                                   mg_globals.app_config['csrf_cookie_name'])},
                          extra_environ={'gmg.verify_csrf': True}).\
                          status_int == 200
+
+def test_csrf_exempt(test_app):
+    # monkey with the views to decorate a known endpoint
+    import mediagoblin.auth.views
+    from mediagoblin.meddleware.csrf import csrf_exempt
+
+    mediagoblin.auth.views.login = csrf_exempt(
+        mediagoblin.auth.views.login
+    )
+
+    # construct a request with no cookie or form token
+    assert test_app.post('/auth/login/',
+                         extra_environ={'gmg.verify_csrf': True},
+                         expect_errors=False).status_int == 200
+
+    # restore the CSRF protection in case other tests expect it
+    mediagoblin.auth.views.login.csrf_enabled = True