From 9ad9bdd9363dedf50ab3fbe70375bd817f92512b Mon Sep 17 00:00:00 2001 From: Andrew Godwin Date: Thu, 15 Dec 2022 15:55:33 -0700 Subject: Implement post rate limits, move to signed cookies Also improve the test harness a little Fixes #112 --- tests/activities/views/test_compose.py | 68 +++++++++++++++++++------------- tests/activities/views/test_posts.py | 21 ++++------ tests/activities/views/test_timelines.py | 19 +++------ 3 files changed, 54 insertions(+), 54 deletions(-) (limited to 'tests/activities/views') diff --git a/tests/activities/views/test_compose.py b/tests/activities/views/test_compose.py index 2b8c4ea..2fdec3a 100644 --- a/tests/activities/views/test_compose.py +++ b/tests/activities/views/test_compose.py @@ -1,46 +1,58 @@ -import re -from unittest import mock - import pytest -from django.core.exceptions import PermissionDenied +from django.test.client import Client +from pytest_django.asserts import assertContains from activities.models import Post -from activities.views.compose import Compose +from core.models import Config +from users.models import Identity @pytest.mark.django_db -def test_content_warning_text(identity, user, rf, config_system): - request = rf.get("/compose/") - request.user = user - request.identity = identity - +def test_content_warning_text( + client_with_identity: Client, + config_system: Config.SystemOptions, +): + """ + Tests that changing the content warning name works + """ config_system.content_warning_text = "Content Summary" - with mock.patch("core.models.Config.load_system", return_value=config_system): - view = Compose.as_view() - resp = view(request) - assert resp.status_code == 200 - content = str(resp.rendered_content) - assert 'placeholder="Content Summary"' in content - assert re.search( - r"\s*Content Summary\s*", content, flags=re.MULTILINE - ) + response = client_with_identity.get("/compose/") + assertContains(response, 'placeholder="Content Summary"', status_code=200) + assertContains( + response, "", html=True + ) @pytest.mark.django_db -def test_post_edit_security(identity, user, rf, other_identity): - # Create post +def test_post_edit_security(client_with_identity: Client, other_identity: Identity): + """ + Tests that you can't edit other users' posts with URL fiddling + """ other_post = Post.objects.create( content="

OTHER POST!

", author=other_identity, local=True, visibility=Post.Visibilities.public, ) + response = client_with_identity.get(other_post.urls.action_edit) + assert response.status_code == 403 - request = rf.get(other_post.get_absolute_url() + "edit/") - request.user = user - request.identity = identity - view = Compose.as_view() - with pytest.raises(PermissionDenied) as ex: - view(request, handle=other_identity.handle.lstrip("@"), post_id=other_post.id) - assert str(ex.value) == "Post author is not requestor" +@pytest.mark.django_db +def test_rate_limit(identity: Identity, client_with_identity: Client): + """ + Tests that the posting rate limit comes into force + """ + # First post should go through + assert identity.posts.count() == 0 + response = client_with_identity.post( + "/compose/", data={"text": "post 1", "visibility": "0"} + ) + assert response.status_code == 302 + assert identity.posts.count() == 1 + # Second should not + response = client_with_identity.post( + "/compose/", data={"text": "post 2", "visibility": "0"} + ) + assertContains(response, "You must wait at least", status_code=200) + assert identity.posts.count() == 1 diff --git a/tests/activities/views/test_posts.py b/tests/activities/views/test_posts.py index ac148d0..a3dbc64 100644 --- a/tests/activities/views/test_posts.py +++ b/tests/activities/views/test_posts.py @@ -1,25 +1,20 @@ import pytest -from django.core.exceptions import PermissionDenied +from django.test.client import Client from activities.models import Post -from activities.views.posts import Delete +from users.models import Identity @pytest.mark.django_db -def test_post_delete_security(identity, user, rf, other_identity): - # Create post +def test_post_delete_security(client_with_identity: Client, other_identity: Identity): + """ + Tests that you can't delete other users' posts with URL fiddling + """ other_post = Post.objects.create( content="

OTHER POST!

", author=other_identity, local=True, visibility=Post.Visibilities.public, ) - - request = rf.post(other_post.get_absolute_url() + "delete/") - request.user = user - request.identity = identity - - view = Delete.as_view() - with pytest.raises(PermissionDenied) as ex: - view(request, handle=other_identity.handle.lstrip("@"), post_id=other_post.id) - assert str(ex.value) == "Post author is not requestor" + response = client_with_identity.get(other_post.urls.action_delete) + assert response.status_code == 403 diff --git a/tests/activities/views/test_timelines.py b/tests/activities/views/test_timelines.py index 74bf43d..a2cbb32 100644 --- a/tests/activities/views/test_timelines.py +++ b/tests/activities/views/test_timelines.py @@ -1,19 +1,12 @@ -from unittest import mock - import pytest -from activities.views.timelines import Home - @pytest.mark.django_db -def test_content_warning_text(identity, user, rf, config_system): - request = rf.get("/") - request.user = user - request.identity = identity +def test_content_warning_text(client_with_identity, config_system): config_system.content_warning_text = "Content Summary" - with mock.patch("core.models.Config.load_system", return_value=config_system): - view = Home.as_view() - resp = view(request) - assert resp.status_code == 200 - assert 'placeholder="Content Summary"' in str(resp.rendered_content) + + response = client_with_identity.get("/") + + assert response.status_code == 200 + assert 'placeholder="Content Summary"' in str(response.rendered_content) -- cgit v1.2.3