0001-misc-return-400-when-an-improrer-next-parameter-is-g.patch
combo/public/views.py | ||
---|---|---|
60 | 60 |
if any(get_idps()): |
61 | 61 |
if not 'next' in request.GET: |
62 | 62 |
return HttpResponseRedirect(resolve_url('mellon_login')) |
63 |
return HttpResponseRedirect(resolve_url('mellon_login') + '?next=' |
|
64 |
+ urllib.quote(request.GET.get('next'))) |
|
63 |
try: |
|
64 |
quoted_next_url = urllib.quote(request.GET.get('next')) |
|
65 |
except KeyError: |
|
66 |
return HttpResponseBadRequest('invalid value for "next" parameter') |
|
67 |
return HttpResponseRedirect(resolve_url('mellon_login') + '?next=' + quoted_next_url) |
|
65 | 68 |
return auth_views.login(request, *args, **kwargs) |
66 | 69 | |
67 | 70 |
def logout(request, next_page=None): |
tests/test_public.py | ||
---|---|---|
16 | 16 |
from django.test import override_settings |
17 | 17 |
from django.test.utils import CaptureQueriesContext |
18 | 18 | |
19 |
try: |
|
20 |
import mellon |
|
21 |
except ImportError: |
|
22 |
mellon = None |
|
23 | ||
19 | 24 |
from combo.wsgi import application |
20 | 25 |
from combo.data.models import (Page, CellBase, TextCell, ParentContentCell, |
21 | 26 |
FeedCell, LinkCell, ConfigJsonCell, Redirect, JsonCell) |
... | ... | |
73 | 78 |
resp = app.get('/', status=200) |
74 | 79 |
assert not 'Foobar' in resp.text |
75 | 80 | |
81 |
@pytest.mark.skipif('mellon is None') |
|
82 |
def test_mellon_login(app): |
|
83 |
with mock.patch('combo.public.views.get_idps') as get_idps: |
|
84 |
get_idps.return_value = ['xxx'] |
|
85 |
resp = app.get('/login/') |
|
86 |
assert urlparse.urlparse(resp.location).path == '/accounts/mellon/login/' |
|
87 |
resp = app.get('/login/?next=whatever') |
|
88 |
assert urlparse.urlparse(resp.location).query == 'next=whatever' |
|
89 |
resp = app.get('/login/?next=%e0%40', status=400) |
|
90 | ||
76 | 91 |
def test_page_contents_group_presence(app, normal_user): |
77 | 92 |
group = Group(name='plop') |
78 | 93 |
group.save() |
79 |
- |