From 9ad9bdd9363dedf50ab3fbe70375bd817f92512b Mon Sep 17 00:00:00 2001
From: Andrew Godwin
Date: Thu, 15 Dec 2022 15:55:33 -0700
Subject: Implement post rate limits, move to signed cookies

Also improve the test harness a little
Fixes #112
---
 .../activities/templatetags/test_activity_tags.py  | 11 +++-
 tests/activities/views/test_compose.py             | 68 +++++++++++++---------
 tests/activities/views/test_posts.py               | 21 +++----
 tests/activities/views/test_timelines.py           | 19 ++----
 4 files changed, 63 insertions(+), 56 deletions(-)

(limited to 'tests/activities')

diff --git a/tests/activities/templatetags/test_activity_tags.py b/tests/activities/templatetags/test_activity_tags.py
index 85d8cdf..9426337 100644
--- a/tests/activities/templatetags/test_activity_tags.py
+++ b/tests/activities/templatetags/test_activity_tags.py
@@ -5,7 +5,10 @@ from django.utils import timezone
 from activities.templatetags.activity_tags import linkify_hashtags, timedeltashort
 
 
-def test_timedeltashort_regress():
+def test_timedeltashort():
+    """
+    Tests that timedeltashort works correctly
+    """
     assert timedeltashort(None) == ""
     assert timedeltashort("") == ""
 
@@ -21,7 +24,11 @@ def test_timedeltashort_regress():
     assert timedeltashort(value - timedelta(days=366)) == "1y"
 
 
-def test_linkify_hashtags_regres():
+def test_linkify_hashtags():
+    """
+    Tests that linkify_hashtags works correctly
+    """
+
     assert linkify_hashtags(None) == ""
     assert linkify_hashtags("") == ""
 
diff --git a/tests/activities/views/test_compose.py b/tests/activities/views/test_compose.py
index 2b8c4ea..2fdec3a 100644
--- a/tests/activities/views/test_compose.py
+++ b/tests/activities/views/test_compose.py
@@ -1,46 +1,58 @@
-import re
-from unittest import mock
-
 import pytest
-from django.core.exceptions import PermissionDenied
+from django.test.client import Client
+from pytest_django.asserts import assertContains
 
 from activities.models import Post
-from activities.views.compose import Compose
+from core.models import Config
+from users.models import Identity
 
 
 @pytest.mark.django_db
-def test_content_warning_text(identity, user, rf, config_system):
-    request = rf.get("/compose/")
-    request.user = user
-    request.identity = identity
-
+def test_content_warning_text(
+    client_with_identity: Client,
+    config_system: Config.SystemOptions,
+):
+    """
+    Tests that changing the content warning name works
+    """
     config_system.content_warning_text = "Content Summary"
-    with mock.patch("core.models.Config.load_system", return_value=config_system):
-        view = Compose.as_view()
-        resp = view(request)
-        assert resp.status_code == 200
-        content = str(resp.rendered_content)
-        assert 'placeholder="Content Summary"' in content
-        assert re.search(
-            r"<label.*>\s*Content Summary\s*</label>", content, flags=re.MULTILINE
-        )
+    response = client_with_identity.get("/compose/")
+    assertContains(response, 'placeholder="Content Summary"', status_code=200)
+    assertContains(
+        response, "<label for='id_content_warning'>Content Summary</label>", html=True
+    )
 
 
 @pytest.mark.django_db
-def test_post_edit_security(identity, user, rf, other_identity):
-    # Create post
+def test_post_edit_security(client_with_identity: Client, other_identity: Identity):
+    """
+    Tests that you can't edit other users' posts with URL fiddling
+    """
     other_post = Post.objects.create(
         content="<p>OTHER POST!</p>",
         author=other_identity,
         local=True,
         visibility=Post.Visibilities.public,
     )
+    response = client_with_identity.get(other_post.urls.action_edit)
+    assert response.status_code == 403
 
-    request = rf.get(other_post.get_absolute_url() + "edit/")
-    request.user = user
-    request.identity = identity
 
-    view = Compose.as_view()
-    with pytest.raises(PermissionDenied) as ex:
-        view(request, handle=other_identity.handle.lstrip("@"), post_id=other_post.id)
-    assert str(ex.value) == "Post author is not requestor"
+@pytest.mark.django_db
+def test_rate_limit(identity: Identity, client_with_identity: Client):
+    """
+    Tests that the posting rate limit comes into force
+    """
+    # First post should go through
+    assert identity.posts.count() == 0
+    response = client_with_identity.post(
+        "/compose/", data={"text": "post 1", "visibility": "0"}
+    )
+    assert response.status_code == 302
+    assert identity.posts.count() == 1
+    # Second should not
+    response = client_with_identity.post(
+        "/compose/", data={"text": "post 2", "visibility": "0"}
+    )
+    assertContains(response, "You must wait at least", status_code=200)
+    assert identity.posts.count() == 1
diff --git a/tests/activities/views/test_posts.py b/tests/activities/views/test_posts.py
index ac148d0..a3dbc64 100644
--- a/tests/activities/views/test_posts.py
+++ b/tests/activities/views/test_posts.py
@@ -1,25 +1,20 @@
 import pytest
-from django.core.exceptions import PermissionDenied
+from django.test.client import Client
 
 from activities.models import Post
-from activities.views.posts import Delete
+from users.models import Identity
 
 
 @pytest.mark.django_db
-def test_post_delete_security(identity, user, rf, other_identity):
-    # Create post
+def test_post_delete_security(client_with_identity: Client, other_identity: Identity):
+    """
+    Tests that you can't delete other users' posts with URL fiddling
+    """
     other_post = Post.objects.create(
         content="<p>OTHER POST!</p>",
         author=other_identity,
         local=True,
         visibility=Post.Visibilities.public,
     )
-
-    request = rf.post(other_post.get_absolute_url() + "delete/")
-    request.user = user
-    request.identity = identity
-
-    view = Delete.as_view()
-    with pytest.raises(PermissionDenied) as ex:
-        view(request, handle=other_identity.handle.lstrip("@"), post_id=other_post.id)
-    assert str(ex.value) == "Post author is not requestor"
+    response = client_with_identity.get(other_post.urls.action_delete)
+    assert response.status_code == 403
diff --git a/tests/activities/views/test_timelines.py b/tests/activities/views/test_timelines.py
index 74bf43d..a2cbb32 100644
--- a/tests/activities/views/test_timelines.py
+++ b/tests/activities/views/test_timelines.py
@@ -1,19 +1,12 @@
-from unittest import mock
-
 import pytest
 
-from activities.views.timelines import Home
-
 
 @pytest.mark.django_db
-def test_content_warning_text(identity, user, rf, config_system):
-    request = rf.get("/")
-    request.user = user
-    request.identity = identity
+def test_content_warning_text(client_with_identity, config_system):
 
     config_system.content_warning_text = "Content Summary"
-    with mock.patch("core.models.Config.load_system", return_value=config_system):
-        view = Home.as_view()
-        resp = view(request)
-        assert resp.status_code == 200
-        assert 'placeholder="Content Summary"' in str(resp.rendered_content)
+
+    response = client_with_identity.get("/")
+
+    assert response.status_code == 200
+    assert 'placeholder="Content Summary"' in str(response.rendered_content)
-- 
cgit v1.2.3