mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-01-03 15:06:09 +00:00
Code Issues 30 Releases Wiki Activity

Moved clickjacking decorator tests into decorators/test_clickjacking.py.

Browse Source 
This also adds extra assertions.
This commit is contained in:
Ben Lomax 2023-04-26 06:48:33 +01:00 committed by Mariusz Felisiak
parent a2da81fe08
commit b43936f2ec
2 changed files with 50 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
tests/decorators/test_clickjacking.py Normal file
View File

@ -0,0 +1,50 @@
from django.http import HttpRequest, HttpResponse
from django.middleware.clickjacking import XFrameOptionsMiddleware
from django.test import SimpleTestCase
from django.views.decorators.clickjacking import (
xframe_options_deny,
xframe_options_exempt,
xframe_options_sameorigin,
)
class XFrameOptionsDenyTests(SimpleTestCase):
def test_decorator_sets_x_frame_options_to_deny(self):
@xframe_options_deny
def a_view(request):
return HttpResponse()
response = a_view(HttpRequest())
self.assertEqual(response.headers["X-Frame-Options"], "DENY")
class XFrameOptionsSameoriginTests(SimpleTestCase):
def test_decorator_sets_x_frame_options_to_sameorigin(self):
@xframe_options_sameorigin
def a_view(request):
return HttpResponse()
response = a_view(HttpRequest())
self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN")
class XFrameOptionsExemptTests(SimpleTestCase):
def test_decorator_stops_x_frame_options_being_set(self):
"""
@xframe_options_exempt instructs the XFrameOptionsMiddleware to NOT set
the header.
"""
@xframe_options_exempt
def a_view(request):
return HttpResponse()
request = HttpRequest()
response = a_view(request)
self.assertIsNone(response.get("X-Frame-Options", None))
self.assertIs(response.xframe_options_exempt, True)
# The real purpose of the exempt decorator is to suppress the
# middleware's functionality.
middleware_response = XFrameOptionsMiddleware(a_view)(request)
self.assertIsNone(middleware_response.get("X-Frame-Options"))

57
tests/decorators/tests.py
View File

@ -8,17 +8,11 @@ from django.contrib.auth.decorators import (
user_passes_test, user_passes_test,
) )
from django.http import HttpRequest, HttpResponse, HttpResponseNotAllowed from django.http import HttpRequest, HttpResponse, HttpResponseNotAllowed
from django.middleware.clickjacking import XFrameOptionsMiddleware
from django.test import SimpleTestCase from django.test import SimpleTestCase
from django.utils.decorators import method_decorator from django.utils.decorators import method_decorator
from django.utils.functional import keep_lazy, keep_lazy_text, lazy from django.utils.functional import keep_lazy, keep_lazy_text, lazy
from django.utils.safestring import mark_safe from django.utils.safestring import mark_safe
from django.views.decorators.cache import cache_control, cache_page, never_cache from django.views.decorators.cache import cache_control, cache_page, never_cache
from django.views.decorators.clickjacking import (
xframe_options_deny,
xframe_options_exempt,
xframe_options_sameorigin,
)
from django.views.decorators.http import ( from django.views.decorators.http import (
condition, condition,
require_GET, require_GET,
@ -463,54 +457,3 @@ class MethodDecoratorTests(SimpleTestCase):
Test().method() Test().method()
self.assertEqual(func_name, "method") self.assertEqual(func_name, "method")
self.assertIsNotNone(func_module) self.assertIsNotNone(func_module)
class XFrameOptionsDecoratorsTests(TestCase):
"""
Tests for the X-Frame-Options decorators.
"""
def test_deny_decorator(self):
"""
Ensures @xframe_options_deny properly sets the X-Frame-Options header.
"""
@xframe_options_deny
def a_view(request):
return HttpResponse()
r = a_view(HttpRequest())
self.assertEqual(r.headers["X-Frame-Options"], "DENY")
def test_sameorigin_decorator(self):
"""
Ensures @xframe_options_sameorigin properly sets the X-Frame-Options
header.
"""
@xframe_options_sameorigin
def a_view(request):
return HttpResponse()
r = a_view(HttpRequest())
self.assertEqual(r.headers["X-Frame-Options"], "SAMEORIGIN")
def test_exempt_decorator(self):
"""
Ensures @xframe_options_exempt properly instructs the
XFrameOptionsMiddleware to NOT set the header.
"""
@xframe_options_exempt
def a_view(request):
return HttpResponse()
req = HttpRequest()
resp = a_view(req)
self.assertIsNone(resp.get("X-Frame-Options", None))
self.assertTrue(resp.xframe_options_exempt)
# Since the real purpose of the exempt decorator is to suppress
# the middleware's functionality, let's make sure it actually works...
r = XFrameOptionsMiddleware(a_view)(req)
self.assertIsNone(r.get("X-Frame-Options", None))