added XSRF protection to all forms and associated tests

[bluechips.git] / bluechips / tests / functional / test_transfer.py

diff --git a/bluechips/tests/functional/test_transfer.py b/bluechips/tests/functional/test_transfer.py
index b38f71cc65d96a4c6c532c7c2c646801d34d9fd0..69eba4668b27fbe4579d3b64d00fb7b28d24b322 100644 (file)
--- a/bluechips/tests/functional/test_transfer.py
+++ b/bluechips/tests/functional/test_transfer.py
@@ -1,7 +1,9 @@
 from datetime import date
 from decimal import Decimal
-from bluechips.tests import *
 
+from webhelpers.html.secure_form import token_key
+
+from bluechips.tests import *
 from bluechips import model
 from bluechips.model import meta
 
@@ -75,6 +77,39 @@ class TestTransferController(TestController):
                                         action='edit',
                                         id=21424), status=404)
 
+    def test_update_nonexistent(self):
+        response = self.app.get(url_for(controller='transfer',
+                                        action='edit'))
+        params = self.sample_params.copy()
+        params[token_key] = response.form[token_key].value
+        self.app.post(url_for(controller='transfer',
+                              action='update',
+                              id=21424),
+                      params=params,
+                      status=404)
+
+    def test_xsrf_protection(self):
+        self.app.post(url_for(controller='transfer',
+                              action='update'),
+                      params=self.sample_params,
+                      status=403)
+
+
+    def test_update_get_redirects(self):
+        response = self.app.get(url_for(controller='transfer',
+                                        action='update'),
+                                status=302)
+        assert (dict(response.headers)['location'] ==
+                url_for(controller='transfer', action='edit', qualified=True))
+
+    def setUp(self):
+        self.sample_params = {
+            'debtor_id': '1',
+            'creditor_id': '2',
+            'amount': '33.98',
+            'date': '4/1/2007',
+            'description': 'Example transfer params.'}
+
     def tearDown(self):
         transfers = meta.Session.query(model.Transfer).all()
         for t in transfers: