From 3ec5b1abf6afa2d22a3378092809a1a8c0249d26 Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Tue, 30 Jun 2020 20:08:00 -0700
Subject: [PATCH] CSRF tests for canned query POST, closes #835

---
 tests/test_canned_queries.py | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/tests/test_canned_queries.py b/tests/test_canned_queries.py
index c0219cb1..365bcdfa 100644
--- a/tests/test_canned_queries.py
+++ b/tests/test_canned_queries.py
@@ -55,7 +55,11 @@ def test_canned_query_with_named_parameter(app_client):
 
 def test_insert(canned_write_client):
     response = canned_write_client.post(
-        "/data/add_name", {"name": "Hello"}, allow_redirects=False, csrftoken_from=True,
+        "/data/add_name",
+        {"name": "Hello"},
+        allow_redirects=False,
+        csrftoken_from=True,
+        cookies={"foo": "bar"},
     )
     assert 302 == response.status
     assert "/data/add_name?success" == response.headers["Location"]
@@ -65,6 +69,24 @@ def test_insert(canned_write_client):
     assert [["Query executed, 1 row affected", 1]] == messages
 
 
+def test_insert_with_cookies_requires_csrf(canned_write_client):
+    response = canned_write_client.post(
+        "/data/add_name",
+        {"name": "Hello"},
+        allow_redirects=False,
+        cookies={"foo": "bar"},
+    )
+    assert 403 == response.status
+
+
+def test_insert_no_cookies_no_csrf(canned_write_client):
+    response = canned_write_client.post(
+        "/data/add_name", {"name": "Hello"}, allow_redirects=False
+    )
+    assert 302 == response.status
+    assert "/data/add_name?success" == response.headers["Location"]
+
+
 def test_custom_success_message(canned_write_client):
     response = canned_write_client.post(
         "/data/delete_name",