github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

CSRF protection (#798)

Browse source 
Closes #793.

* Rename RequestParameters to MultiParams, refs #799
* Allow tuples as well as lists in MultiParams, refs #799
* Use csrftokens when running tests, refs #799
* Use new csrftoken() function, refs https://github.com/simonw/asgi-csrf/issues/7
* Check for Vary: Cookie hedaer, refs https://github.com/simonw/asgi-csrf/issues/8
This commit is contained in:
Simon Willison 2020-06-05 12:05:57 -07:00 committed by GitHub
commit 84a9c4ff75
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 67 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tests/test_canned_write.py
View file

@ -40,7 +40,7 @@ def canned_write_client():
def test_insert(canned_write_client):
response = canned_write_client.post(
"/data/add_name", {"name": "Hello"}, allow_redirects=False
"/data/add_name", {"name": "Hello"}, allow_redirects=False, csrftoken_from=True,
)
assert 302 == response.status
assert "/data/add_name?success" == response.headers["Location"]
@ -52,7 +52,7 @@ def test_insert(canned_write_client):
def test_custom_success_message(canned_write_client):
response = canned_write_client.post(
"/data/delete_name", {"rowid": 1}, allow_redirects=False
"/data/delete_name", {"rowid": 1}, allow_redirects=False, csrftoken_from=True
)
assert 302 == response.status
messages = canned_write_client.ds.unsign(
@ -62,11 +62,12 @@ def test_custom_success_message(canned_write_client):
def test_insert_error(canned_write_client):
canned_write_client.post("/data/add_name", {"name": "Hello"})
canned_write_client.post("/data/add_name", {"name": "Hello"}, csrftoken_from=True)
response = canned_write_client.post(
"/data/add_name_specify_id",
{"rowid": 1, "name": "Should fail"},
allow_redirects=False,
csrftoken_from=True,
)
assert 302 == response.status
assert "/data/add_name_specify_id?error" == response.headers["Location"]
@ -82,6 +83,7 @@ def test_insert_error(canned_write_client):
"/data/add_name_specify_id",
{"rowid": 1, "name": "Should fail"},
allow_redirects=False,
csrftoken_from=True,
)
assert [["ERROR", 3]] == canned_write_client.ds.unsign(
response.cookies["ds_messages"], "messages"