Verified Commit 83b62ad5 authored by Huste, Tobias (FWCC) - 111645's avatar Huste, Tobias (FWCC) - 111645
Browse files

settings: fix views being accessible without login

- login_required must be put below blueprint.route, otherwise the view
can be accessed without authentication
- add tests for checking the login requirement for views
parent 59834d45
......@@ -32,7 +32,7 @@
{% block uploadbyurl_security_form %}
{%- with form = connect_form %}
<div class="well col-md-6 col-md-offset-3">
<h4>{{ _('Connect to to %(remote_name)s server:', remote_name=remote.name)}}</h4>
<h4>{{ _('Connect to %(remote_name)s server:', remote_name=remote.name)}}</h4>
<p>{{ _('We do not store your password. It is required to connect to the remote machine once and transfer an SSH key.') }}</p>
<form action="{{url_for('invenio_uploadbyurl_settings.init', remote_name=remote.name)}}" method="POST">
{{ form.csrf_token }}
......
......@@ -83,8 +83,8 @@ def index():
)
@login_required
@blueprint.route('/init/<remote_name>', methods=['GET', 'POST'])
@login_required
def init(remote_name):
"""Initialiaze connection to remote server."""
remote = RemoteServer.get_by_name(remote_name)
......@@ -105,8 +105,8 @@ def init(remote_name):
)
@login_required
@blueprint.route('/delete/<remote_name>', methods=['GET', 'POST'])
@login_required
def delete(remote_name):
"""Delete connection with remote server for current user."""
remote = RemoteServer.get_by_name(remote_name)
......
......@@ -52,6 +52,7 @@ from sqlalchemy_utils.functions import create_database, database_exists, \
from invenio_uploadbyurl import InvenioUploadByURL
from invenio_uploadbyurl.api import blueprint
from invenio_uploadbyurl.models import RemoteServer, SSHKey
from invenio_uploadbyurl.views.settings import blueprint as settings_blueprint
@pytest.yield_fixture()
......@@ -114,6 +115,7 @@ def app(base_app):
"""Flask application fixture."""
InvenioUploadByURL(base_app)
base_app.register_blueprint(blueprint)
base_app.register_blueprint(settings_blueprint)
with base_app.app_context():
yield base_app
......
# -*- coding: utf-8 -*-
#
# Copyright (C) 2018 HZDR
#
# This file is part of Rodare.
#
# Rodare is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Rodare is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Rodare. If not, see <http://www.gnu.org/licenses/>.
"""Test settings views."""
import os
from flask import url_for
from testutils import login_user
def test_index(client, user, remote):
"""Test the index view."""
url = url_for('invenio_uploadbyurl_settings.index')
resp = client.get(url)
# expect redirect to login form
assert resp.status_code == 302
assert '/login' in resp.location
login_user(client, user)
resp = client.get(url)
assert resp.status_code == 200
assert os.getenv('SFTP_SERVER') in str(resp.get_data())
def test_init(client, user, remote):
"""Test remote initialization view."""
init_url = url_for('invenio_uploadbyurl_settings.init', remote_name='foo')
resp = client.get(init_url)
# expect redirect to login form
assert resp.status_code == 302
assert '/login' in resp.location
login_user(client, user)
resp = client.get(init_url)
assert resp.status_code == 200
assert 'Connect to foo server:' in str(resp.get_data())
def test_delete(client, user, remote):
"""Test delete view."""
delete_url = url_for('invenio_uploadbyurl_settings.delete',
remote_name='foo')
resp = client.get(delete_url)
# expect redirect to login form
assert resp.status_code == 302
assert '/login' in resp.location
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment