Merge branch 'master' of https://github.com/pixelated/pixelated-user-agent

# By Felix Hammerl (5) and others
# Via NavaL
* 'master' of https://github.com/pixelated/pixelated-user-agent:
  serving the client directly, as the current dependency on proxy strips out xsrf cookies -fixing functional test
  only adding feature resource in root_resource test -- fixing build
  changed logout to post Issue #612
  Backend and frontend protection against csrf attacks: - root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login - it will also add that cookie on single user mode - initialize will still load all resources - but they you cant access them if the csrf token do not match - all ajax calls needs to add the token to the header - non ajax get requests do not need xsrf token validation - non ajax post will have to send the token in as a form input or in the content
  Consolidate stylesheets
  Remove unused font and stylesheetgit s
  Create a new deferred for all IMAPAccount calls
  Clean up jshintrc
  Recreate session on soledad problems
  issue #617: Remove old html whitelister
  Issue #617: Sanitize received content

2 files changed, 21 insertions, 2 deletions

diff --git a/service/test/integration/test_logout.py b/service/test/integration/test_logout.py
index 52f7e34f..da414126 100644
--- a/service/test/integration/test_logout.py
+++ b/service/test/integration/test_logout.py
@@ -13,10 +13,11 @@
 #
 # You should have received a copy of the GNU Affero General Public License
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
+import json
+
 from mockito import verify
 from twisted.internet import defer
 
-from test.support.integration import load_mail_from_file
 from test.support.integration.multi_user_client import MultiUserClient
 from test.support.integration.soledad_test_base import SoledadTestBase
 
@@ -34,7 +35,8 @@ class MultiUserLogoutTest(MultiUserClient, SoledadTestBase):
 
         yield self.wait_for_session_user_id_to_finish()
 
-        response, request = self.get("/logout", as_json=False, from_request=login_request)
+        response, request = self.post("/logout", json.dumps({'csrftoken': [login_request.getCookie('XSRF-TOKEN')]}),
+                                      from_request=login_request, as_json=False)
         yield response
 
         self.assertEqual(302, request.responseCode)     # redirected
diff --git a/service/test/integration/test_retrieve_attachment.py b/service/test/integration/test_retrieve_attachment.py
index 4aaeadc2..31c8c5df 100644
--- a/service/test/integration/test_retrieve_attachment.py
+++ b/service/test/integration/test_retrieve_attachment.py
@@ -43,6 +43,23 @@ class RetrieveAttachmentTest(SoledadTestBase):
         self.assertEquals(expected_content_disposition, req.outgoingHeaders['content-disposition'])
         self.assertEquals(expected_content_type, req.outgoingHeaders['content-type'])
 
+    @defer.inlineCallbacks
+    def test_should_retrieve_attachment_even_if_xsrf_token_not_passed(self):
+        attachment_id, input_mail = self._create_mail_with_attachment()
+        yield self.mail_store.add_mail('INBOX', input_mail.as_string())
+
+        requested_filename = "file name with space"
+        expected_content_type = 'text/plain'
+        expected_content_disposition = 'attachment; filename="file name with space"'
+
+        attachment, req = yield self.get_attachment(attachment_id, 'base64', filename=requested_filename,
+                                                    content_type=expected_content_type, ajax=False, csrf='mismatched token')
+
+        self.assertEqual(200, req.code)
+        self.assertEquals('pretend to be binary attachment data', attachment)
+        self.assertEquals(expected_content_disposition, req.outgoingHeaders['content-disposition'])
+        self.assertEquals(expected_content_type, req.outgoingHeaders['content-type'])
+
     def _create_mail_with_attachment(self):
         input_mail = MIMEMultipart()
         input_mail.attach(MIMEText(u'a utf8 message', _charset='utf-8'))