10 |
10 |
import datetime
|
11 |
11 |
import time
|
12 |
12 |
import json
|
|
13 |
import sys
|
13 |
14 |
|
14 |
15 |
from quixote import cleanup, get_publisher
|
15 |
16 |
from wcs.qommon.errors import AccessForbiddenError
|
... | ... | |
260 |
261 |
with pytest.raises(AccessForbiddenError):
|
261 |
262 |
test_is_url_signed(utcnow=datetime.datetime(1970, 1, 1, 0, 0, 31))
|
262 |
263 |
|
|
264 |
def test_is_url_signed_check_nonce(pub, local_user):
|
|
265 |
pub.site_options.add_section('api-secrets')
|
|
266 |
pub.site_options.set('api-secrets', 'xxx', 'xxx')
|
|
267 |
# test clean_nonces do not bark when nonces directory is empty
|
|
268 |
if os.path.exists(os.path.join(pub.app_dir, 'nonces')):
|
|
269 |
shutil.rmtree(os.path.join(pub.app_dir, 'nonces'))
|
|
270 |
pub.clean_nonces()
|
|
271 |
signed_url = sign_url(
|
|
272 |
'?format=json&orig=xxx&email=%s' % urllib.quote(local_user.email),
|
|
273 |
'xxx', duration=1)
|
|
274 |
req = HTTPRequest(None, {'SCRIPT_NAME': '/', 'SERVER_NAME': 'example.net',
|
|
275 |
'QUERY_STRING': signed_url[1:]})
|
|
276 |
req.process_inputs()
|
|
277 |
pub.set_app_dir(req)
|
|
278 |
pub._set_request(req)
|
|
279 |
|
|
280 |
assert is_url_signed()
|
|
281 |
with pytest.raises(AccessForbiddenError):
|
|
282 |
req.signed = False
|
|
283 |
is_url_signed()
|
|
284 |
assert sys.exc_value.public_msg == 'nonce already used'
|
|
285 |
# test that clean nonces works
|
|
286 |
assert os.listdir(os.path.join(pub.app_dir, 'nonces'))
|
|
287 |
time.sleep(3.)
|
|
288 |
pub.clean_nonces(delta=0)
|
|
289 |
assert not os.listdir(os.path.join(pub.app_dir, 'nonces'))
|
|
290 |
|
263 |
291 |
def test_get_user_compat_endpoint(pub, local_user):
|
264 |
292 |
signed_url = sign_url(
|
265 |
293 |
'http://example.net/user?format=json&orig=coucou&email=%s' % urllib.quote(local_user.email),
|
... | ... | |
415 |
443 |
assert resp.json['err'] == 1
|
416 |
444 |
assert resp.json['err_desc'] == 'unsigned API call'
|
417 |
445 |
|
418 |
|
signed_url = sign_url('http://example.net/api/formdefs/test/submit' +
|
419 |
|
'?format=json&orig=coucou&email=%s' % urllib.quote(local_user.email), '1234')
|
420 |
|
url = signed_url[len('http://example.net'):]
|
421 |
|
resp = get_app(pub).post_json(url, {'data': {}})
|
|
446 |
def url():
|
|
447 |
signed_url = sign_url('http://example.net/api/formdefs/test/submit' +
|
|
448 |
'?format=json&orig=coucou&email=%s' % urllib.quote(local_user.email), '1234')
|
|
449 |
return signed_url[len('http://example.net'):]
|
|
450 |
resp = get_app(pub).post_json(url(), {'data': {}})
|
422 |
451 |
assert resp.json['err'] == 0
|
423 |
452 |
assert data_class.get(resp.json['data']['id']).status == 'wf-new'
|
424 |
453 |
assert data_class.get(resp.json['data']['id']).user_id == str(local_user.id)
|
... | ... | |
426 |
455 |
|
427 |
456 |
formdef.disabled = True
|
428 |
457 |
formdef.store()
|
429 |
|
resp = get_app(pub).post_json(url, {'data': {}}, status=403)
|
|
458 |
resp = get_app(pub).post_json(url(), {'data': {}}, status=403)
|
430 |
459 |
assert resp.json['err'] == 1
|
431 |
460 |
assert resp.json['err_desc'] == 'disabled form'
|
432 |
461 |
|
433 |
462 |
formdef.disabled = False
|
434 |
463 |
formdef.store()
|
435 |
|
resp = get_app(pub).post_json(url, {'meta': {'backoffice-submission': True}, 'data': {}}, status=403)
|
|
464 |
resp = get_app(pub).post_json(url(), {'meta': {'backoffice-submission': True}, 'data': {}}, status=403)
|
436 |
465 |
formdef.backoffice_submission_roles = ['xx']
|
437 |
466 |
formdef.store()
|
438 |
|
resp = get_app(pub).post_json(url, {'meta': {'backoffice-submission': True}, 'data': {}}, status=403)
|
|
467 |
resp = get_app(pub).post_json(url(), {'meta': {'backoffice-submission': True}, 'data': {}}, status=403)
|
439 |
468 |
formdef.backoffice_submission_roles = [role.id]
|
440 |
469 |
formdef.store()
|
441 |
|
resp = get_app(pub).post_json(url, {'meta': {'backoffice-submission': True}, 'data': {}})
|
|
470 |
resp = get_app(pub).post_json(url(), {'meta': {'backoffice-submission': True}, 'data': {}})
|
442 |
471 |
assert data_class.get(resp.json['data']['id']).status == 'wf-new'
|
443 |
472 |
assert data_class.get(resp.json['data']['id']).backoffice_submission is True
|
444 |
473 |
assert data_class.get(resp.json['data']['id']).user_id is None
|
... | ... | |
446 |
475 |
|
447 |
476 |
formdef.enable_tracking_codes = True
|
448 |
477 |
formdef.store()
|
449 |
|
resp = get_app(pub).post_json(url, {'data': {}})
|
|
478 |
resp = get_app(pub).post_json(url(), {'data': {}})
|
450 |
479 |
assert data_class.get(resp.json['data']['id']).tracking_code
|
451 |
480 |
|
452 |
|
resp = get_app(pub).post_json(url, {'meta': {'draft': True}, 'data': {}})
|
|
481 |
resp = get_app(pub).post_json(url(), {'meta': {'draft': True}, 'data': {}})
|
453 |
482 |
assert data_class.get(resp.json['data']['id']).status == 'draft'
|
454 |
483 |
|
455 |
|
resp = get_app(pub).post_json(url, {'meta': {'backoffice-submission': True}, 'data': {},
|
|
484 |
resp = get_app(pub).post_json(url(), {'meta': {'backoffice-submission': True}, 'data': {},
|
456 |
485 |
'context': {'channel': 'mail', 'comments': 'blah'} })
|
457 |
486 |
assert data_class.get(resp.json['data']['id']).status == 'wf-new'
|
458 |
487 |
assert data_class.get(resp.json['data']['id']).backoffice_submission is True
|