added csrf tests

2013-07-23 17:32:21 -04:00
parent 4148c00cc4
commit 402ae4d8bd
1 changed files with 21 additions and 1 deletions
--- a/common/djangoapps/student/tests/test_auto_auth.py
+++ b/common/djangoapps/student/tests/test_auto_auth.py
@@ -3,6 +3,7 @@ from django.test.client import Client
 from django.contrib.auth.models import User
 from util.testing import UrlResetMixin
 from mock import patch
+from django.core.urlresolvers import reverse


 class AutoAuthEnabledTestCase(UrlResetMixin, TestCase):
@@ -68,8 +69,17 @@ class AutoAuthEnabledTestCase(UrlResetMixin, TestCase):
        # make sure it is the same user
        self.assertEqual(qset.count(), 1)

+    def test_csrf_disabled(self):
+        """
+        test that when load testing, csrf protection is off
+        """
+        self.client = Client(enforce_csrf_checks=True)
+        csrf_protected_url = reverse("signin_user")
+        response = self.client.get(csrf_protected_url)
+        self.assertEqual(response.status_code, 200)

-class AutoAuthDisabledTestCase(UrlResetMixin):
+
+class AutoAuthDisabledTestCase(UrlResetMixin, TestCase):
    """
    Test that the page is inaccessible with default settings
    """
@@ -90,3 +100,13 @@ class AutoAuthDisabledTestCase(UrlResetMixin):
        """
        response = self.client.get(self.url)
        self.assertEqual(response.status_code, 404)
+
+    def test_csrf_enabled(self):
+        """
+        test that when not load testing, csrf protection is on
+        """
+        self.client = Client(enforce_csrf_checks=True)
+        csrf_protected_url = reverse("signin_user")
+        response = self.client.post(csrf_protected_url)
+        self.assertEqual(response.status_code, 403)
+