X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=blobdiff_plain;f=bluechips%2Ftests%2Ffunctional%2Ftest_transfer.py;h=69eba4668b27fbe4579d3b64d00fb7b28d24b322;hb=9cc05ca9160a9432d037afb9cc22c511e2542947;hp=9e01e6a455725f8d82fdb6dd375dff4a165aa858;hpb=c71777cf6aad82837ae5f1b6bdef8f34a5b5ec44;p=bluechips.git

diff --git a/bluechips/tests/functional/test_transfer.py b/bluechips/tests/functional/test_transfer.py
index 9e01e6a..69eba46 100644
--- a/bluechips/tests/functional/test_transfer.py
+++ b/bluechips/tests/functional/test_transfer.py
@@ -1,7 +1,9 @@
 from datetime import date
 from decimal import Decimal
-from bluechips.tests import *
 
+from webhelpers.html.secure_form import token_key
+
+from bluechips.tests import *
 from bluechips import model
 from bluechips.model import meta
 
@@ -76,11 +78,22 @@ class TestTransferController(TestController):
                                         id=21424), status=404)
 
     def test_update_nonexistent(self):
-        response = self.app.post(url_for(controller='transfer',
-                                         action='update',
-                                         id=21424),
-                                 params=self.sample_params,
-                                 status=404)
+        response = self.app.get(url_for(controller='transfer',
+                                        action='edit'))
+        params = self.sample_params.copy()
+        params[token_key] = response.form[token_key].value
+        self.app.post(url_for(controller='transfer',
+                              action='update',
+                              id=21424),
+                      params=params,
+                      status=404)
+
+    def test_xsrf_protection(self):
+        self.app.post(url_for(controller='transfer',
+                              action='update'),
+                      params=self.sample_params,
+                      status=403)
+
 
     def test_update_get_redirects(self):
         response = self.app.get(url_for(controller='transfer',