Show More
| @@ -1,359 +1,359 b'' | |||||
| 1 | # -*- coding: utf-8 -*- |
|
1 | # -*- coding: utf-8 -*- | |
| 2 |
|
2 | |||
| 3 | # Copyright (C) 2010-2017 RhodeCode GmbH |
|
3 | # Copyright (C) 2010-2017 RhodeCode GmbH | |
| 4 | # |
|
4 | # | |
| 5 | # This program is free software: you can redistribute it and/or modify |
|
5 | # This program is free software: you can redistribute it and/or modify | |
| 6 | # it under the terms of the GNU Affero General Public License, version 3 |
|
6 | # it under the terms of the GNU Affero General Public License, version 3 | |
| 7 | # (only), as published by the Free Software Foundation. |
|
7 | # (only), as published by the Free Software Foundation. | |
| 8 | # |
|
8 | # | |
| 9 | # This program is distributed in the hope that it will be useful, |
|
9 | # This program is distributed in the hope that it will be useful, | |
| 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 12 | # GNU General Public License for more details. |
|
12 | # GNU General Public License for more details. | |
| 13 | # |
|
13 | # | |
| 14 | # You should have received a copy of the GNU Affero General Public License |
|
14 | # You should have received a copy of the GNU Affero General Public License | |
| 15 | # along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
15 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |
| 16 | # |
|
16 | # | |
| 17 | # This program is dual-licensed. If you wish to learn more about the |
|
17 | # This program is dual-licensed. If you wish to learn more about the | |
| 18 | # RhodeCode Enterprise Edition, including its added features, Support services, |
|
18 | # RhodeCode Enterprise Edition, including its added features, Support services, | |
| 19 | # and proprietary license terms, please see https://rhodecode.com/licenses/ |
|
19 | # and proprietary license terms, please see https://rhodecode.com/licenses/ | |
| 20 |
|
20 | |||
| 21 | import mock |
|
21 | import mock | |
| 22 | import pytest |
|
22 | import pytest | |
| 23 |
|
23 | |||
| 24 | from rhodecode.lib import helpers as h |
|
24 | from rhodecode.lib import helpers as h | |
| 25 | from rhodecode.model.db import User, Gist |
|
25 | from rhodecode.model.db import User, Gist | |
| 26 | from rhodecode.model.gist import GistModel |
|
26 | from rhodecode.model.gist import GistModel | |
| 27 | from rhodecode.model.meta import Session |
|
27 | from rhodecode.model.meta import Session | |
| 28 | from rhodecode.tests import ( |
|
28 | from rhodecode.tests import ( | |
| 29 | TEST_USER_ADMIN_LOGIN, TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS, |
|
29 | TEST_USER_ADMIN_LOGIN, TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS, | |
| 30 | TestController, assert_session_flash, url) |
|
30 | TestController, assert_session_flash, url) | |
| 31 | from rhodecode.tests.utils import AssertResponse |
|
31 | from rhodecode.tests.utils import AssertResponse | |
| 32 |
|
32 | |||
| 33 |
|
33 | |||
| 34 | class GistUtility(object): |
|
34 | class GistUtility(object): | |
| 35 |
|
35 | |||
| 36 | def __init__(self): |
|
36 | def __init__(self): | |
| 37 | self._gist_ids = [] |
|
37 | self._gist_ids = [] | |
| 38 |
|
38 | |||
| 39 | def __call__( |
|
39 | def __call__( | |
| 40 | self, f_name, content='some gist', lifetime=-1, |
|
40 | self, f_name, content='some gist', lifetime=-1, | |
| 41 | description='gist-desc', gist_type='public', |
|
41 | description='gist-desc', gist_type='public', | |
| 42 | acl_level=Gist.GIST_PUBLIC, owner=TEST_USER_ADMIN_LOGIN): |
|
42 | acl_level=Gist.GIST_PUBLIC, owner=TEST_USER_ADMIN_LOGIN): | |
| 43 | gist_mapping = { |
|
43 | gist_mapping = { | |
| 44 | f_name: {'content': content} |
|
44 | f_name: {'content': content} | |
| 45 | } |
|
45 | } | |
| 46 | user = User.get_by_username(owner) |
|
46 | user = User.get_by_username(owner) | |
| 47 | gist = GistModel().create( |
|
47 | gist = GistModel().create( | |
| 48 | description, owner=user, gist_mapping=gist_mapping, |
|
48 | description, owner=user, gist_mapping=gist_mapping, | |
| 49 | gist_type=gist_type, lifetime=lifetime, gist_acl_level=acl_level) |
|
49 | gist_type=gist_type, lifetime=lifetime, gist_acl_level=acl_level) | |
| 50 | Session().commit() |
|
50 | Session().commit() | |
| 51 | self._gist_ids.append(gist.gist_id) |
|
51 | self._gist_ids.append(gist.gist_id) | |
| 52 | return gist |
|
52 | return gist | |
| 53 |
|
53 | |||
| 54 | def cleanup(self): |
|
54 | def cleanup(self): | |
| 55 | for gist_id in self._gist_ids: |
|
55 | for gist_id in self._gist_ids: | |
| 56 | gist = Gist.get(gist_id) |
|
56 | gist = Gist.get(gist_id) | |
| 57 | if gist: |
|
57 | if gist: | |
| 58 | Session().delete(gist) |
|
58 | Session().delete(gist) | |
| 59 |
|
59 | |||
| 60 | Session().commit() |
|
60 | Session().commit() | |
| 61 |
|
61 | |||
| 62 |
|
62 | |||
| 63 | @pytest.fixture |
|
63 | @pytest.fixture | |
| 64 | def create_gist(request): |
|
64 | def create_gist(request): | |
| 65 | gist_utility = GistUtility() |
|
65 | gist_utility = GistUtility() | |
| 66 | request.addfinalizer(gist_utility.cleanup) |
|
66 | request.addfinalizer(gist_utility.cleanup) | |
| 67 | return gist_utility |
|
67 | return gist_utility | |
| 68 |
|
68 | |||
| 69 |
|
69 | |||
| 70 | class TestGistsController(TestController): |
|
70 | class TestGistsController(TestController): | |
| 71 |
|
71 | |||
| 72 | def test_index_empty(self, create_gist): |
|
72 | def test_index_empty(self, create_gist): | |
| 73 | self.log_user() |
|
73 | self.log_user() | |
| 74 | response = self.app.get(url('gists')) |
|
74 | response = self.app.get(url('gists')) | |
| 75 | response.mustcontain('data: [],') |
|
75 | response.mustcontain('data: [],') | |
| 76 |
|
76 | |||
| 77 | def test_index(self, create_gist): |
|
77 | def test_index(self, create_gist): | |
| 78 | self.log_user() |
|
78 | self.log_user() | |
| 79 | g1 = create_gist('gist1') |
|
79 | g1 = create_gist('gist1') | |
| 80 | g2 = create_gist('gist2', lifetime=1400) |
|
80 | g2 = create_gist('gist2', lifetime=1400) | |
| 81 | g3 = create_gist('gist3', description='gist3-desc') |
|
81 | g3 = create_gist('gist3', description='gist3-desc') | |
| 82 | g4 = create_gist('gist4', gist_type='private').gist_access_id |
|
82 | g4 = create_gist('gist4', gist_type='private').gist_access_id | |
| 83 | response = self.app.get(url('gists')) |
|
83 | response = self.app.get(url('gists')) | |
| 84 |
|
84 | |||
| 85 | response.mustcontain('gist: %s' % g1.gist_access_id) |
|
85 | response.mustcontain('gist: %s' % g1.gist_access_id) | |
| 86 | response.mustcontain('gist: %s' % g2.gist_access_id) |
|
86 | response.mustcontain('gist: %s' % g2.gist_access_id) | |
| 87 | response.mustcontain('gist: %s' % g3.gist_access_id) |
|
87 | response.mustcontain('gist: %s' % g3.gist_access_id) | |
| 88 | response.mustcontain('gist3-desc') |
|
88 | response.mustcontain('gist3-desc') | |
| 89 | response.mustcontain(no=['gist: %s' % g4]) |
|
89 | response.mustcontain(no=['gist: %s' % g4]) | |
| 90 |
|
90 | |||
| 91 | # Expiration information should be visible |
|
91 | # Expiration information should be visible | |
| 92 | expires_tag = '%s' % h.age_component( |
|
92 | expires_tag = '%s' % h.age_component( | |
| 93 | h.time_to_datetime(g2.gist_expires)) |
|
93 | h.time_to_utcdatetime(g2.gist_expires)) | |
| 94 | response.mustcontain(expires_tag.replace('"', '\\"')) |
|
94 | response.mustcontain(expires_tag.replace('"', '\\"')) | |
| 95 |
|
95 | |||
| 96 | def test_index_private_gists(self, create_gist): |
|
96 | def test_index_private_gists(self, create_gist): | |
| 97 | self.log_user() |
|
97 | self.log_user() | |
| 98 | gist = create_gist('gist5', gist_type='private') |
|
98 | gist = create_gist('gist5', gist_type='private') | |
| 99 | response = self.app.get(url('gists', private=1)) |
|
99 | response = self.app.get(url('gists', private=1)) | |
| 100 |
|
100 | |||
| 101 | # and privates |
|
101 | # and privates | |
| 102 | response.mustcontain('gist: %s' % gist.gist_access_id) |
|
102 | response.mustcontain('gist: %s' % gist.gist_access_id) | |
| 103 |
|
103 | |||
| 104 | def test_index_show_all(self, create_gist): |
|
104 | def test_index_show_all(self, create_gist): | |
| 105 | self.log_user() |
|
105 | self.log_user() | |
| 106 | create_gist('gist1') |
|
106 | create_gist('gist1') | |
| 107 | create_gist('gist2', lifetime=1400) |
|
107 | create_gist('gist2', lifetime=1400) | |
| 108 | create_gist('gist3', description='gist3-desc') |
|
108 | create_gist('gist3', description='gist3-desc') | |
| 109 | create_gist('gist4', gist_type='private') |
|
109 | create_gist('gist4', gist_type='private') | |
| 110 |
|
110 | |||
| 111 | response = self.app.get(url('gists', all=1)) |
|
111 | response = self.app.get(url('gists', all=1)) | |
| 112 |
|
112 | |||
| 113 | assert len(GistModel.get_all()) == 4 |
|
113 | assert len(GistModel.get_all()) == 4 | |
| 114 | # and privates |
|
114 | # and privates | |
| 115 | for gist in GistModel.get_all(): |
|
115 | for gist in GistModel.get_all(): | |
| 116 | response.mustcontain('gist: %s' % gist.gist_access_id) |
|
116 | response.mustcontain('gist: %s' % gist.gist_access_id) | |
| 117 |
|
117 | |||
| 118 | def test_index_show_all_hidden_from_regular(self, create_gist): |
|
118 | def test_index_show_all_hidden_from_regular(self, create_gist): | |
| 119 | self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) |
|
119 | self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) | |
| 120 | create_gist('gist2', gist_type='private') |
|
120 | create_gist('gist2', gist_type='private') | |
| 121 | create_gist('gist3', gist_type='private') |
|
121 | create_gist('gist3', gist_type='private') | |
| 122 | create_gist('gist4', gist_type='private') |
|
122 | create_gist('gist4', gist_type='private') | |
| 123 |
|
123 | |||
| 124 | response = self.app.get(url('gists', all=1)) |
|
124 | response = self.app.get(url('gists', all=1)) | |
| 125 |
|
125 | |||
| 126 | assert len(GistModel.get_all()) == 3 |
|
126 | assert len(GistModel.get_all()) == 3 | |
| 127 | # since we don't have access to private in this view, we |
|
127 | # since we don't have access to private in this view, we | |
| 128 | # should see nothing |
|
128 | # should see nothing | |
| 129 | for gist in GistModel.get_all(): |
|
129 | for gist in GistModel.get_all(): | |
| 130 | response.mustcontain(no=['gist: %s' % gist.gist_access_id]) |
|
130 | response.mustcontain(no=['gist: %s' % gist.gist_access_id]) | |
| 131 |
|
131 | |||
| 132 | def test_create(self): |
|
132 | def test_create(self): | |
| 133 | self.log_user() |
|
133 | self.log_user() | |
| 134 | response = self.app.post( |
|
134 | response = self.app.post( | |
| 135 | url('gists'), |
|
135 | url('gists'), | |
| 136 | params={'lifetime': -1, |
|
136 | params={'lifetime': -1, | |
| 137 | 'content': 'gist test', |
|
137 | 'content': 'gist test', | |
| 138 | 'filename': 'foo', |
|
138 | 'filename': 'foo', | |
| 139 | 'public': 'public', |
|
139 | 'public': 'public', | |
| 140 | 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, |
|
140 | 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, | |
| 141 | 'csrf_token': self.csrf_token}, |
|
141 | 'csrf_token': self.csrf_token}, | |
| 142 | status=302) |
|
142 | status=302) | |
| 143 | response = response.follow() |
|
143 | response = response.follow() | |
| 144 | response.mustcontain('added file: foo') |
|
144 | response.mustcontain('added file: foo') | |
| 145 | response.mustcontain('gist test') |
|
145 | response.mustcontain('gist test') | |
| 146 |
|
146 | |||
| 147 | def test_create_with_path_with_dirs(self): |
|
147 | def test_create_with_path_with_dirs(self): | |
| 148 | self.log_user() |
|
148 | self.log_user() | |
| 149 | response = self.app.post( |
|
149 | response = self.app.post( | |
| 150 | url('gists'), |
|
150 | url('gists'), | |
| 151 | params={'lifetime': -1, |
|
151 | params={'lifetime': -1, | |
| 152 | 'content': 'gist test', |
|
152 | 'content': 'gist test', | |
| 153 | 'filename': '/home/foo', |
|
153 | 'filename': '/home/foo', | |
| 154 | 'public': 'public', |
|
154 | 'public': 'public', | |
| 155 | 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, |
|
155 | 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, | |
| 156 | 'csrf_token': self.csrf_token}, |
|
156 | 'csrf_token': self.csrf_token}, | |
| 157 | status=200) |
|
157 | status=200) | |
| 158 | response.mustcontain('Filename /home/foo cannot be inside a directory') |
|
158 | response.mustcontain('Filename /home/foo cannot be inside a directory') | |
| 159 |
|
159 | |||
| 160 | def test_access_expired_gist(self, create_gist): |
|
160 | def test_access_expired_gist(self, create_gist): | |
| 161 | self.log_user() |
|
161 | self.log_user() | |
| 162 | gist = create_gist('never-see-me') |
|
162 | gist = create_gist('never-see-me') | |
| 163 | gist.gist_expires = 0 # 1970 |
|
163 | gist.gist_expires = 0 # 1970 | |
| 164 | Session().add(gist) |
|
164 | Session().add(gist) | |
| 165 | Session().commit() |
|
165 | Session().commit() | |
| 166 |
|
166 | |||
| 167 | self.app.get(url('gist', gist_id=gist.gist_access_id), status=404) |
|
167 | self.app.get(url('gist', gist_id=gist.gist_access_id), status=404) | |
| 168 |
|
168 | |||
| 169 | def test_create_private(self): |
|
169 | def test_create_private(self): | |
| 170 | self.log_user() |
|
170 | self.log_user() | |
| 171 | response = self.app.post( |
|
171 | response = self.app.post( | |
| 172 | url('gists'), |
|
172 | url('gists'), | |
| 173 | params={'lifetime': -1, |
|
173 | params={'lifetime': -1, | |
| 174 | 'content': 'private gist test', |
|
174 | 'content': 'private gist test', | |
| 175 | 'filename': 'private-foo', |
|
175 | 'filename': 'private-foo', | |
| 176 | 'private': 'private', |
|
176 | 'private': 'private', | |
| 177 | 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, |
|
177 | 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, | |
| 178 | 'csrf_token': self.csrf_token}, |
|
178 | 'csrf_token': self.csrf_token}, | |
| 179 | status=302) |
|
179 | status=302) | |
| 180 | response = response.follow() |
|
180 | response = response.follow() | |
| 181 | response.mustcontain('added file: private-foo<') |
|
181 | response.mustcontain('added file: private-foo<') | |
| 182 | response.mustcontain('private gist test') |
|
182 | response.mustcontain('private gist test') | |
| 183 | response.mustcontain('Private Gist') |
|
183 | response.mustcontain('Private Gist') | |
| 184 | # Make sure private gists are not indexed by robots |
|
184 | # Make sure private gists are not indexed by robots | |
| 185 | response.mustcontain( |
|
185 | response.mustcontain( | |
| 186 | '<meta name="robots" content="noindex, nofollow">') |
|
186 | '<meta name="robots" content="noindex, nofollow">') | |
| 187 |
|
187 | |||
| 188 | def test_create_private_acl_private(self): |
|
188 | def test_create_private_acl_private(self): | |
| 189 | self.log_user() |
|
189 | self.log_user() | |
| 190 | response = self.app.post( |
|
190 | response = self.app.post( | |
| 191 | url('gists'), |
|
191 | url('gists'), | |
| 192 | params={'lifetime': -1, |
|
192 | params={'lifetime': -1, | |
| 193 | 'content': 'private gist test', |
|
193 | 'content': 'private gist test', | |
| 194 | 'filename': 'private-foo', |
|
194 | 'filename': 'private-foo', | |
| 195 | 'private': 'private', |
|
195 | 'private': 'private', | |
| 196 | 'gist_acl_level': Gist.ACL_LEVEL_PRIVATE, |
|
196 | 'gist_acl_level': Gist.ACL_LEVEL_PRIVATE, | |
| 197 | 'csrf_token': self.csrf_token}, |
|
197 | 'csrf_token': self.csrf_token}, | |
| 198 | status=302) |
|
198 | status=302) | |
| 199 | response = response.follow() |
|
199 | response = response.follow() | |
| 200 | response.mustcontain('added file: private-foo<') |
|
200 | response.mustcontain('added file: private-foo<') | |
| 201 | response.mustcontain('private gist test') |
|
201 | response.mustcontain('private gist test') | |
| 202 | response.mustcontain('Private Gist') |
|
202 | response.mustcontain('Private Gist') | |
| 203 | # Make sure private gists are not indexed by robots |
|
203 | # Make sure private gists are not indexed by robots | |
| 204 | response.mustcontain( |
|
204 | response.mustcontain( | |
| 205 | '<meta name="robots" content="noindex, nofollow">') |
|
205 | '<meta name="robots" content="noindex, nofollow">') | |
| 206 |
|
206 | |||
| 207 | def test_create_with_description(self): |
|
207 | def test_create_with_description(self): | |
| 208 | self.log_user() |
|
208 | self.log_user() | |
| 209 | response = self.app.post( |
|
209 | response = self.app.post( | |
| 210 | url('gists'), |
|
210 | url('gists'), | |
| 211 | params={'lifetime': -1, |
|
211 | params={'lifetime': -1, | |
| 212 | 'content': 'gist test', |
|
212 | 'content': 'gist test', | |
| 213 | 'filename': 'foo-desc', |
|
213 | 'filename': 'foo-desc', | |
| 214 | 'description': 'gist-desc', |
|
214 | 'description': 'gist-desc', | |
| 215 | 'public': 'public', |
|
215 | 'public': 'public', | |
| 216 | 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, |
|
216 | 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, | |
| 217 | 'csrf_token': self.csrf_token}, |
|
217 | 'csrf_token': self.csrf_token}, | |
| 218 | status=302) |
|
218 | status=302) | |
| 219 | response = response.follow() |
|
219 | response = response.follow() | |
| 220 | response.mustcontain('added file: foo-desc') |
|
220 | response.mustcontain('added file: foo-desc') | |
| 221 | response.mustcontain('gist test') |
|
221 | response.mustcontain('gist test') | |
| 222 | response.mustcontain('gist-desc') |
|
222 | response.mustcontain('gist-desc') | |
| 223 |
|
223 | |||
| 224 | def test_create_public_with_anonymous_access(self): |
|
224 | def test_create_public_with_anonymous_access(self): | |
| 225 | self.log_user() |
|
225 | self.log_user() | |
| 226 | params = { |
|
226 | params = { | |
| 227 | 'lifetime': -1, |
|
227 | 'lifetime': -1, | |
| 228 | 'content': 'gist test', |
|
228 | 'content': 'gist test', | |
| 229 | 'filename': 'foo-desc', |
|
229 | 'filename': 'foo-desc', | |
| 230 | 'description': 'gist-desc', |
|
230 | 'description': 'gist-desc', | |
| 231 | 'public': 'public', |
|
231 | 'public': 'public', | |
| 232 | 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, |
|
232 | 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, | |
| 233 | 'csrf_token': self.csrf_token |
|
233 | 'csrf_token': self.csrf_token | |
| 234 | } |
|
234 | } | |
| 235 | response = self.app.post(url('gists'), params=params, status=302) |
|
235 | response = self.app.post(url('gists'), params=params, status=302) | |
| 236 | self.logout_user() |
|
236 | self.logout_user() | |
| 237 | response = response.follow() |
|
237 | response = response.follow() | |
| 238 | response.mustcontain('added file: foo-desc') |
|
238 | response.mustcontain('added file: foo-desc') | |
| 239 | response.mustcontain('gist test') |
|
239 | response.mustcontain('gist test') | |
| 240 | response.mustcontain('gist-desc') |
|
240 | response.mustcontain('gist-desc') | |
| 241 |
|
241 | |||
| 242 | def test_new(self): |
|
242 | def test_new(self): | |
| 243 | self.log_user() |
|
243 | self.log_user() | |
| 244 | self.app.get(url('new_gist')) |
|
244 | self.app.get(url('new_gist')) | |
| 245 |
|
245 | |||
| 246 | def test_delete(self, create_gist): |
|
246 | def test_delete(self, create_gist): | |
| 247 | self.log_user() |
|
247 | self.log_user() | |
| 248 | gist = create_gist('delete-me') |
|
248 | gist = create_gist('delete-me') | |
| 249 | response = self.app.post( |
|
249 | response = self.app.post( | |
| 250 | url('gist', gist_id=gist.gist_id), |
|
250 | url('gist', gist_id=gist.gist_id), | |
| 251 | params={'_method': 'delete', 'csrf_token': self.csrf_token}) |
|
251 | params={'_method': 'delete', 'csrf_token': self.csrf_token}) | |
| 252 | assert_session_flash(response, 'Deleted gist %s' % gist.gist_id) |
|
252 | assert_session_flash(response, 'Deleted gist %s' % gist.gist_id) | |
| 253 |
|
253 | |||
| 254 | def test_delete_normal_user_his_gist(self, create_gist): |
|
254 | def test_delete_normal_user_his_gist(self, create_gist): | |
| 255 | self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) |
|
255 | self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) | |
| 256 | gist = create_gist('delete-me', owner=TEST_USER_REGULAR_LOGIN) |
|
256 | gist = create_gist('delete-me', owner=TEST_USER_REGULAR_LOGIN) | |
| 257 | response = self.app.post( |
|
257 | response = self.app.post( | |
| 258 | url('gist', gist_id=gist.gist_id), |
|
258 | url('gist', gist_id=gist.gist_id), | |
| 259 | params={'_method': 'delete', 'csrf_token': self.csrf_token}) |
|
259 | params={'_method': 'delete', 'csrf_token': self.csrf_token}) | |
| 260 | assert_session_flash(response, 'Deleted gist %s' % gist.gist_id) |
|
260 | assert_session_flash(response, 'Deleted gist %s' % gist.gist_id) | |
| 261 |
|
261 | |||
| 262 | def test_delete_normal_user_not_his_own_gist(self, create_gist): |
|
262 | def test_delete_normal_user_not_his_own_gist(self, create_gist): | |
| 263 | self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) |
|
263 | self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) | |
| 264 | gist = create_gist('delete-me') |
|
264 | gist = create_gist('delete-me') | |
| 265 | self.app.post( |
|
265 | self.app.post( | |
| 266 | url('gist', gist_id=gist.gist_id), |
|
266 | url('gist', gist_id=gist.gist_id), | |
| 267 | params={'_method': 'delete', 'csrf_token': self.csrf_token}, |
|
267 | params={'_method': 'delete', 'csrf_token': self.csrf_token}, | |
| 268 | status=403) |
|
268 | status=403) | |
| 269 |
|
269 | |||
| 270 | def test_show(self, create_gist): |
|
270 | def test_show(self, create_gist): | |
| 271 | gist = create_gist('gist-show-me') |
|
271 | gist = create_gist('gist-show-me') | |
| 272 | response = self.app.get(url('gist', gist_id=gist.gist_access_id)) |
|
272 | response = self.app.get(url('gist', gist_id=gist.gist_access_id)) | |
| 273 |
|
273 | |||
| 274 | response.mustcontain('added file: gist-show-me<') |
|
274 | response.mustcontain('added file: gist-show-me<') | |
| 275 |
|
275 | |||
| 276 | assert_response = AssertResponse(response) |
|
276 | assert_response = AssertResponse(response) | |
| 277 | assert_response.element_equals_to( |
|
277 | assert_response.element_equals_to( | |
| 278 | 'div.rc-user span.user', |
|
278 | 'div.rc-user span.user', | |
| 279 | '<span class="user"> %s</span>' % h.link_to_user('test_admin')) |
|
279 | '<span class="user"> %s</span>' % h.link_to_user('test_admin')) | |
| 280 |
|
280 | |||
| 281 | response.mustcontain('gist-desc') |
|
281 | response.mustcontain('gist-desc') | |
| 282 |
|
282 | |||
| 283 | def test_show_without_hg(self, create_gist): |
|
283 | def test_show_without_hg(self, create_gist): | |
| 284 | with mock.patch( |
|
284 | with mock.patch( | |
| 285 | 'rhodecode.lib.vcs.settings.ALIASES', ['git']): |
|
285 | 'rhodecode.lib.vcs.settings.ALIASES', ['git']): | |
| 286 | gist = create_gist('gist-show-me-again') |
|
286 | gist = create_gist('gist-show-me-again') | |
| 287 | self.app.get(url('gist', gist_id=gist.gist_access_id), status=200) |
|
287 | self.app.get(url('gist', gist_id=gist.gist_access_id), status=200) | |
| 288 |
|
288 | |||
| 289 | def test_show_acl_private(self, create_gist): |
|
289 | def test_show_acl_private(self, create_gist): | |
| 290 | gist = create_gist('gist-show-me-only-when-im-logged-in', |
|
290 | gist = create_gist('gist-show-me-only-when-im-logged-in', | |
| 291 | acl_level=Gist.ACL_LEVEL_PRIVATE) |
|
291 | acl_level=Gist.ACL_LEVEL_PRIVATE) | |
| 292 | self.app.get(url('gist', gist_id=gist.gist_access_id), status=404) |
|
292 | self.app.get(url('gist', gist_id=gist.gist_access_id), status=404) | |
| 293 |
|
293 | |||
| 294 | # now we log-in we should see thi gist |
|
294 | # now we log-in we should see thi gist | |
| 295 | self.log_user() |
|
295 | self.log_user() | |
| 296 | response = self.app.get(url('gist', gist_id=gist.gist_access_id)) |
|
296 | response = self.app.get(url('gist', gist_id=gist.gist_access_id)) | |
| 297 | response.mustcontain('added file: gist-show-me-only-when-im-logged-in') |
|
297 | response.mustcontain('added file: gist-show-me-only-when-im-logged-in') | |
| 298 |
|
298 | |||
| 299 | assert_response = AssertResponse(response) |
|
299 | assert_response = AssertResponse(response) | |
| 300 | assert_response.element_equals_to( |
|
300 | assert_response.element_equals_to( | |
| 301 | 'div.rc-user span.user', |
|
301 | 'div.rc-user span.user', | |
| 302 | '<span class="user"> %s</span>' % h.link_to_user('test_admin')) |
|
302 | '<span class="user"> %s</span>' % h.link_to_user('test_admin')) | |
| 303 | response.mustcontain('gist-desc') |
|
303 | response.mustcontain('gist-desc') | |
| 304 |
|
304 | |||
| 305 | def test_show_as_raw(self, create_gist): |
|
305 | def test_show_as_raw(self, create_gist): | |
| 306 | gist = create_gist('gist-show-me', content='GIST CONTENT') |
|
306 | gist = create_gist('gist-show-me', content='GIST CONTENT') | |
| 307 | response = self.app.get(url('formatted_gist', |
|
307 | response = self.app.get(url('formatted_gist', | |
| 308 | gist_id=gist.gist_access_id, format='raw')) |
|
308 | gist_id=gist.gist_access_id, format='raw')) | |
| 309 | assert response.body == 'GIST CONTENT' |
|
309 | assert response.body == 'GIST CONTENT' | |
| 310 |
|
310 | |||
| 311 | def test_show_as_raw_individual_file(self, create_gist): |
|
311 | def test_show_as_raw_individual_file(self, create_gist): | |
| 312 | gist = create_gist('gist-show-me-raw', content='GIST BODY') |
|
312 | gist = create_gist('gist-show-me-raw', content='GIST BODY') | |
| 313 | response = self.app.get(url('formatted_gist_file', |
|
313 | response = self.app.get(url('formatted_gist_file', | |
| 314 | gist_id=gist.gist_access_id, format='raw', |
|
314 | gist_id=gist.gist_access_id, format='raw', | |
| 315 | revision='tip', f_path='gist-show-me-raw')) |
|
315 | revision='tip', f_path='gist-show-me-raw')) | |
| 316 | assert response.body == 'GIST BODY' |
|
316 | assert response.body == 'GIST BODY' | |
| 317 |
|
317 | |||
| 318 | def test_edit_page(self, create_gist): |
|
318 | def test_edit_page(self, create_gist): | |
| 319 | self.log_user() |
|
319 | self.log_user() | |
| 320 | gist = create_gist('gist-for-edit', content='GIST EDIT BODY') |
|
320 | gist = create_gist('gist-for-edit', content='GIST EDIT BODY') | |
| 321 | response = self.app.get(url('edit_gist', gist_id=gist.gist_access_id)) |
|
321 | response = self.app.get(url('edit_gist', gist_id=gist.gist_access_id)) | |
| 322 | response.mustcontain('GIST EDIT BODY') |
|
322 | response.mustcontain('GIST EDIT BODY') | |
| 323 |
|
323 | |||
| 324 | def test_edit_page_non_logged_user(self, create_gist): |
|
324 | def test_edit_page_non_logged_user(self, create_gist): | |
| 325 | gist = create_gist('gist-for-edit', content='GIST EDIT BODY') |
|
325 | gist = create_gist('gist-for-edit', content='GIST EDIT BODY') | |
| 326 | self.app.get(url('edit_gist', gist_id=gist.gist_access_id), status=302) |
|
326 | self.app.get(url('edit_gist', gist_id=gist.gist_access_id), status=302) | |
| 327 |
|
327 | |||
| 328 | def test_edit_normal_user_his_gist(self, create_gist): |
|
328 | def test_edit_normal_user_his_gist(self, create_gist): | |
| 329 | self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) |
|
329 | self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) | |
| 330 | gist = create_gist('gist-for-edit', owner=TEST_USER_REGULAR_LOGIN) |
|
330 | gist = create_gist('gist-for-edit', owner=TEST_USER_REGULAR_LOGIN) | |
| 331 | self.app.get(url('edit_gist', gist_id=gist.gist_access_id, status=200)) |
|
331 | self.app.get(url('edit_gist', gist_id=gist.gist_access_id, status=200)) | |
| 332 |
|
332 | |||
| 333 | def test_edit_normal_user_not_his_own_gist(self, create_gist): |
|
333 | def test_edit_normal_user_not_his_own_gist(self, create_gist): | |
| 334 | self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) |
|
334 | self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) | |
| 335 | gist = create_gist('delete-me') |
|
335 | gist = create_gist('delete-me') | |
| 336 | self.app.get(url('edit_gist', gist_id=gist.gist_access_id), status=403) |
|
336 | self.app.get(url('edit_gist', gist_id=gist.gist_access_id), status=403) | |
| 337 |
|
337 | |||
| 338 | def test_user_first_name_is_escaped(self, user_util, create_gist): |
|
338 | def test_user_first_name_is_escaped(self, user_util, create_gist): | |
| 339 | xss_atack_string = '"><script>alert(\'First Name\')</script>' |
|
339 | xss_atack_string = '"><script>alert(\'First Name\')</script>' | |
| 340 | xss_escaped_string = ( |
|
340 | xss_escaped_string = ( | |
| 341 | '"><script>alert('First Name')</script' |
|
341 | '"><script>alert('First Name')</script' | |
| 342 | '>') |
|
342 | '>') | |
| 343 | password = 'test' |
|
343 | password = 'test' | |
| 344 | user = user_util.create_user( |
|
344 | user = user_util.create_user( | |
| 345 | firstname=xss_atack_string, password=password) |
|
345 | firstname=xss_atack_string, password=password) | |
| 346 | create_gist('gist', gist_type='public', owner=user.username) |
|
346 | create_gist('gist', gist_type='public', owner=user.username) | |
| 347 | response = self.app.get(url('gists')) |
|
347 | response = self.app.get(url('gists')) | |
| 348 | response.mustcontain(xss_escaped_string) |
|
348 | response.mustcontain(xss_escaped_string) | |
| 349 |
|
349 | |||
| 350 | def test_user_last_name_is_escaped(self, user_util, create_gist): |
|
350 | def test_user_last_name_is_escaped(self, user_util, create_gist): | |
| 351 | xss_atack_string = '"><script>alert(\'Last Name\')</script>' |
|
351 | xss_atack_string = '"><script>alert(\'Last Name\')</script>' | |
| 352 | xss_escaped_string = ( |
|
352 | xss_escaped_string = ( | |
| 353 | '"><script>alert('Last Name')</script>') |
|
353 | '"><script>alert('Last Name')</script>') | |
| 354 | password = 'test' |
|
354 | password = 'test' | |
| 355 | user = user_util.create_user( |
|
355 | user = user_util.create_user( | |
| 356 | lastname=xss_atack_string, password=password) |
|
356 | lastname=xss_atack_string, password=password) | |
| 357 | create_gist('gist', gist_type='public', owner=user.username) |
|
357 | create_gist('gist', gist_type='public', owner=user.username) | |
| 358 | response = self.app.get(url('gists')) |
|
358 | response = self.app.get(url('gists')) | |
| 359 | response.mustcontain(xss_escaped_string) |
|
359 | response.mustcontain(xss_escaped_string) | |
General Comments 0
You need to be logged in to leave comments.
Login now