CSRF tests for canned query POST, closes #835

2025-12-10 16:51:24 +01:00 · 2020-06-30 20:08:00 -07:00 · 2020-06-30 20:08:00 -07:00 · 3ec5b1abf6
commit 3ec5b1abf6
parent 08b4928a75
1 changed files with 23 additions and 1 deletions
--- a/tests/test_canned_queries.py
+++ b/tests/test_canned_queries.py
@ -55,7 +55,11 @@ def test_canned_query_with_named_parameter(app_client):

 def test_insert(canned_write_client):
    response = canned_write_client.post(
-        "/data/add_name", {"name": "Hello"}, allow_redirects=False, csrftoken_from=True,
+        "/data/add_name",
+        {"name": "Hello"},
+        allow_redirects=False,
+        csrftoken_from=True,
+        cookies={"foo": "bar"},
    )
    assert 302 == response.status
    assert "/data/add_name?success" == response.headers["Location"]
@ -65,6 +69,24 @@ def test_insert(canned_write_client):
    assert [["Query executed, 1 row affected", 1]] == messages


+def test_insert_with_cookies_requires_csrf(canned_write_client):
+    response = canned_write_client.post(
+        "/data/add_name",
+        {"name": "Hello"},
+        allow_redirects=False,
+        cookies={"foo": "bar"},
+    )
+    assert 403 == response.status
+
+
+def test_insert_no_cookies_no_csrf(canned_write_client):
+    response = canned_write_client.post(
+        "/data/add_name", {"name": "Hello"}, allow_redirects=False
+    )
+    assert 302 == response.status
+    assert "/data/add_name?success" == response.headers["Location"]
+
+
 def test_custom_success_message(canned_write_client):
    response = canned_write_client.post(
        "/data/delete_name",