diff options
author | NavaL <ayoyo@thoughtworks.com> | 2016-02-24 16:33:20 +0100 |
---|---|---|
committer | NavaL <mnandri@thoughtworks.com> | 2016-02-25 09:17:53 +0100 |
commit | 9573bdca55ddc5488066d3af525e41ed1d872ea6 (patch) | |
tree | 228ca246c306bd44faa37c01e52c6d7aefec1531 /service/test/support/integration | |
parent | b79035b83e81e4fd654b587426083c6033e695ad (diff) |
Backend and frontend protection against csrf attacks:
- root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login
- it will also add that cookie on single user mode
- initialize will still load all resources
- but they you cant access them if the csrf token do not match
- all ajax calls needs to add the token to the header
- non ajax get requests do not need xsrf token validation
- non ajax post will have to send the token in as a form input or in the content
Issue #612
Diffstat (limited to 'service/test/support/integration')
-rw-r--r-- | service/test/support/integration/app_test_client.py | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py index 8ab58397..a2360a4e 100644 --- a/service/test/support/integration/app_test_client.py +++ b/service/test/support/integration/app_test_client.py @@ -244,22 +244,22 @@ class AppTestClient(object): time.sleep(1) return lambda: process.terminate() - def get(self, path, get_args='', as_json=True): - request = request_mock(path) + def get(self, path, get_args='', as_json=True, ajax=True, csrf='token'): + request = request_mock(path, ajax=ajax, csrf=csrf) request.args = get_args return self._render(request, as_json) - def post(self, path, body='', headers=None): + def post(self, path, body='', headers=None, ajax=True, csrf='token'): headers = headers or {'Content-Type': 'application/json'} - request = request_mock(path=path, method="POST", body=body, headers=headers) + request = request_mock(path=path, method="POST", body=body, headers=headers, ajax=ajax, csrf=csrf) return self._render(request) - def put(self, path, body): - request = request_mock(path=path, method="PUT", body=body, headers={'Content-Type': ['application/json']}) + def put(self, path, body, ajax=True, csrf='token'): + request = request_mock(path=path, method="PUT", body=body, headers={'Content-Type': ['application/json']}, ajax=ajax, csrf=csrf) return self._render(request) - def delete(self, path, body=""): - request = request_mock(path=path, body=body, headers={'Content-Type': ['application/json']}, method="DELETE") + def delete(self, path, body="", ajax=True, csrf='token'): + request = request_mock(path=path, body=body, headers={'Content-Type': ['application/json']}, method="DELETE", ajax=ajax, csrf=csrf) return self._render(request) @defer.inlineCallbacks @@ -322,13 +322,13 @@ class AppTestClient(object): defer.returnValue(mails) @defer.inlineCallbacks - def get_attachment(self, ident, encoding, filename=None, content_type=None): + def get_attachment(self, ident, encoding, filename=None, content_type=None, ajax=True, csrf='token'): params = {'encoding': [encoding]} if filename: params['filename'] = [filename] if content_type: params['content_type'] = [content_type] - deferred_result, req = self.get("/attachment/%s" % ident, params, as_json=False) + deferred_result, req = self.get("/attachment/%s" % ident, params, as_json=False, ajax=ajax, csrf=csrf) res = yield deferred_result defer.returnValue((res, req)) |