Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #9545 from edx/clintonb/csrf-test

Browse Source 
Added test for CreditCourse endpoint CSRF validation
This commit is contained in:
Clinton Blackburn
2015-08-31 11:53:21 -07:00
parent 40e38829a6 c6c897e218
commit bb1631b2e5
1 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
openedx/core/djangoapps/credit/tests/test_views.py
View File

@@ -8,7 +8,7 @@ import unittest
import ddt
from django.conf import settings
from django.core.urlresolvers import reverse
from django.test import TestCase
from django.test import TestCase, Client
from django.test.utils import override_settings
from mock import patch
from oauth2_provider.tests.factories import AccessTokenFactory, ClientFactory
@@ -380,6 +380,34 @@ class CreditCourseViewSetTests(TestCase):
response = self.client.get(self.path)
self.assertEqual(response.status_code, 200)
def test_session_auth_post_requires_csrf_token(self):
""" Verify non-GET requests require a CSRF token be attached to the request. """
user = UserFactory(password=self.password, is_staff=True)
client = Client(enforce_csrf_checks=True)
self.assertTrue(client.login(username=user.username, password=self.password))
data = {
'course_key': 'a/b/c',
'enabled': True
}
# POSTs without a CSRF token should fail.
response = client.post(self.path, data=json.dumps(data), content_type=JSON)
# NOTE (CCB): Ordinarily we would expect a 403; however, since the CSRF validation and session authentication
# fail, DRF considers the request to be unauthenticated.
self.assertEqual(response.status_code, 401)
self.assertIn('CSRF', response.content)
# Retrieve a CSRF token
response = client.get('/dashboard')
csrf_token = response.cookies[settings.CSRF_COOKIE_NAME].value # pylint: disable=no-member
self.assertGreater(len(csrf_token), 0)
# Ensure POSTs made with the token succeed.
response = client.post(self.path, data=json.dumps(data), content_type=JSON, HTTP_X_CSRFTOKEN=csrf_token)
self.assertEqual(response.status_code, 201)
def test_oauth(self):
""" Verify the endpoint supports OAuth, and only allows authorization for staff users. """
user = UserFactory(is_staff=False)