From b43936f2ec37f47277899a91a5464091bd80ad3a Mon Sep 17 00:00:00 2001 From: Ben Lomax Date: Wed, 26 Apr 2023 06:48:33 +0100 Subject: [PATCH] Moved clickjacking decorator tests into decorators/test_clickjacking.py. This also adds extra assertions. --- tests/decorators/test_clickjacking.py | 50 +++++++++++++++++++++++ tests/decorators/tests.py | 57 --------------------------- 2 files changed, 50 insertions(+), 57 deletions(-) create mode 100644 tests/decorators/test_clickjacking.py diff --git a/tests/decorators/test_clickjacking.py b/tests/decorators/test_clickjacking.py new file mode 100644 index 0000000000..278950082d --- /dev/null +++ b/tests/decorators/test_clickjacking.py @@ -0,0 +1,50 @@ +from django.http import HttpRequest, HttpResponse +from django.middleware.clickjacking import XFrameOptionsMiddleware +from django.test import SimpleTestCase +from django.views.decorators.clickjacking import ( + xframe_options_deny, + xframe_options_exempt, + xframe_options_sameorigin, +) + + +class XFrameOptionsDenyTests(SimpleTestCase): + def test_decorator_sets_x_frame_options_to_deny(self): + @xframe_options_deny + def a_view(request): + return HttpResponse() + + response = a_view(HttpRequest()) + self.assertEqual(response.headers["X-Frame-Options"], "DENY") + + +class XFrameOptionsSameoriginTests(SimpleTestCase): + def test_decorator_sets_x_frame_options_to_sameorigin(self): + @xframe_options_sameorigin + def a_view(request): + return HttpResponse() + + response = a_view(HttpRequest()) + self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN") + + +class XFrameOptionsExemptTests(SimpleTestCase): + def test_decorator_stops_x_frame_options_being_set(self): + """ + @xframe_options_exempt instructs the XFrameOptionsMiddleware to NOT set + the header. + """ + + @xframe_options_exempt + def a_view(request): + return HttpResponse() + + request = HttpRequest() + response = a_view(request) + self.assertIsNone(response.get("X-Frame-Options", None)) + self.assertIs(response.xframe_options_exempt, True) + + # The real purpose of the exempt decorator is to suppress the + # middleware's functionality. + middleware_response = XFrameOptionsMiddleware(a_view)(request) + self.assertIsNone(middleware_response.get("X-Frame-Options")) diff --git a/tests/decorators/tests.py b/tests/decorators/tests.py index 48f24503d0..2d10c33188 100644 --- a/tests/decorators/tests.py +++ b/tests/decorators/tests.py @@ -8,17 +8,11 @@ from django.contrib.auth.decorators import ( user_passes_test, ) from django.http import HttpRequest, HttpResponse, HttpResponseNotAllowed -from django.middleware.clickjacking import XFrameOptionsMiddleware from django.test import SimpleTestCase from django.utils.decorators import method_decorator from django.utils.functional import keep_lazy, keep_lazy_text, lazy from django.utils.safestring import mark_safe from django.views.decorators.cache import cache_control, cache_page, never_cache -from django.views.decorators.clickjacking import ( - xframe_options_deny, - xframe_options_exempt, - xframe_options_sameorigin, -) from django.views.decorators.http import ( condition, require_GET, @@ -463,54 +457,3 @@ class MethodDecoratorTests(SimpleTestCase): Test().method() self.assertEqual(func_name, "method") self.assertIsNotNone(func_module) - - -class XFrameOptionsDecoratorsTests(TestCase): - """ - Tests for the X-Frame-Options decorators. - """ - - def test_deny_decorator(self): - """ - Ensures @xframe_options_deny properly sets the X-Frame-Options header. - """ - - @xframe_options_deny - def a_view(request): - return HttpResponse() - - r = a_view(HttpRequest()) - self.assertEqual(r.headers["X-Frame-Options"], "DENY") - - def test_sameorigin_decorator(self): - """ - Ensures @xframe_options_sameorigin properly sets the X-Frame-Options - header. - """ - - @xframe_options_sameorigin - def a_view(request): - return HttpResponse() - - r = a_view(HttpRequest()) - self.assertEqual(r.headers["X-Frame-Options"], "SAMEORIGIN") - - def test_exempt_decorator(self): - """ - Ensures @xframe_options_exempt properly instructs the - XFrameOptionsMiddleware to NOT set the header. - """ - - @xframe_options_exempt - def a_view(request): - return HttpResponse() - - req = HttpRequest() - resp = a_view(req) - self.assertIsNone(resp.get("X-Frame-Options", None)) - self.assertTrue(resp.xframe_options_exempt) - - # Since the real purpose of the exempt decorator is to suppress - # the middleware's functionality, let's make sure it actually works... - r = XFrameOptionsMiddleware(a_view)(req) - self.assertIsNone(r.get("X-Frame-Options", None))