From 9ad9bdd9363dedf50ab3fbe70375bd817f92512b Mon Sep 17 00:00:00 2001 From: Andrew Godwin Date: Thu, 15 Dec 2022 15:55:33 -0700 Subject: Implement post rate limits, move to signed cookies Also improve the test harness a little Fixes #112 --- tests/activities/views/test_posts.py | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) (limited to 'tests/activities/views/test_posts.py') diff --git a/tests/activities/views/test_posts.py b/tests/activities/views/test_posts.py index ac148d0..a3dbc64 100644 --- a/tests/activities/views/test_posts.py +++ b/tests/activities/views/test_posts.py @@ -1,25 +1,20 @@ import pytest -from django.core.exceptions import PermissionDenied +from django.test.client import Client from activities.models import Post -from activities.views.posts import Delete +from users.models import Identity @pytest.mark.django_db -def test_post_delete_security(identity, user, rf, other_identity): - # Create post +def test_post_delete_security(client_with_identity: Client, other_identity: Identity): + """ + Tests that you can't delete other users' posts with URL fiddling + """ other_post = Post.objects.create( content="

OTHER POST!

", author=other_identity, local=True, visibility=Post.Visibilities.public, ) - - request = rf.post(other_post.get_absolute_url() + "delete/") - request.user = user - request.identity = identity - - view = Delete.as_view() - with pytest.raises(PermissionDenied) as ex: - view(request, handle=other_identity.handle.lstrip("@"), post_id=other_post.id) - assert str(ex.value) == "Post author is not requestor" + response = client_with_identity.get(other_post.urls.action_delete) + assert response.status_code == 403 -- cgit v1.2.3