diff options
author | NavaL <ayoyo@thoughtworks.com> | 2016-02-24 16:33:20 +0100 |
---|---|---|
committer | NavaL <mnandri@thoughtworks.com> | 2016-02-25 09:17:53 +0100 |
commit | 9573bdca55ddc5488066d3af525e41ed1d872ea6 (patch) | |
tree | 228ca246c306bd44faa37c01e52c6d7aefec1531 /service/test/integration/test_retrieve_attachment.py | |
parent | b79035b83e81e4fd654b587426083c6033e695ad (diff) |
Backend and frontend protection against csrf attacks:
- root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login
- it will also add that cookie on single user mode
- initialize will still load all resources
- but they you cant access them if the csrf token do not match
- all ajax calls needs to add the token to the header
- non ajax get requests do not need xsrf token validation
- non ajax post will have to send the token in as a form input or in the content
Issue #612
Diffstat (limited to 'service/test/integration/test_retrieve_attachment.py')
-rw-r--r-- | service/test/integration/test_retrieve_attachment.py | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/service/test/integration/test_retrieve_attachment.py b/service/test/integration/test_retrieve_attachment.py index 4aaeadc2..31c8c5df 100644 --- a/service/test/integration/test_retrieve_attachment.py +++ b/service/test/integration/test_retrieve_attachment.py @@ -43,6 +43,23 @@ class RetrieveAttachmentTest(SoledadTestBase): self.assertEquals(expected_content_disposition, req.outgoingHeaders['content-disposition']) self.assertEquals(expected_content_type, req.outgoingHeaders['content-type']) + @defer.inlineCallbacks + def test_should_retrieve_attachment_even_if_xsrf_token_not_passed(self): + attachment_id, input_mail = self._create_mail_with_attachment() + yield self.mail_store.add_mail('INBOX', input_mail.as_string()) + + requested_filename = "file name with space" + expected_content_type = 'text/plain' + expected_content_disposition = 'attachment; filename="file name with space"' + + attachment, req = yield self.get_attachment(attachment_id, 'base64', filename=requested_filename, + content_type=expected_content_type, ajax=False, csrf='mismatched token') + + self.assertEqual(200, req.code) + self.assertEquals('pretend to be binary attachment data', attachment) + self.assertEquals(expected_content_disposition, req.outgoingHeaders['content-disposition']) + self.assertEquals(expected_content_type, req.outgoingHeaders['content-type']) + def _create_mail_with_attachment(self): input_mail = MIMEMultipart() input_mail.attach(MIMEText(u'a utf8 message', _charset='utf-8')) |