4
5
from django.conf import settings
5
from django.contrib.auth import SESSION_KEY
6
from django.contrib.auth import SESSION_KEY, REDIRECT_FIELD_NAME
6
7
from django.contrib.auth.forms import AuthenticationForm
7
8
from django.contrib.sites.models import Site, RequestSite
8
9
from django.contrib.auth.models import User
38
39
class PasswordResetTest(AuthViewsTestCase):
41
self.old_LANGUAGES = settings.LANGUAGES
42
self.old_LANGUAGE_CODE = settings.LANGUAGE_CODE
43
settings.LANGUAGES = (('en', 'English'),)
44
settings.LANGUAGE_CODE = 'en'
47
settings.LANGUAGES = self.old_LANGUAGES
48
settings.LANGUAGE_CODE = self.old_LANGUAGE_CODE
50
41
def test_email_not_found(self):
51
42
"Error is raised if the provided email address isn't currently registered"
52
43
response = self.client.get('/password_reset/')
193
184
self.assertEquals(response.context['site_name'], site.name)
194
185
self.assert_(isinstance(response.context['form'], AuthenticationForm),
195
186
'Login form is not an AuthenticationForm')
188
def test_security_check(self, password='password'):
189
login_url = reverse('django.contrib.auth.views.login')
191
# Those URLs should not pass the security check
192
for bad_url in ('http://example.com',
193
'https://example.com',
197
nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
199
'next': REDIRECT_FIELD_NAME,
200
'bad_url': urllib.quote(bad_url)
202
response = self.client.post(nasty_url, {
203
'username': 'testclient',
204
'password': password,
207
self.assertEquals(response.status_code, 302)
208
self.assertFalse(bad_url in response['Location'], "%s should be blocked" % bad_url)
210
# Now, these URLs have an other URL as a GET parameter and therefore
212
for url_ in ('http://example.com', 'https://example.com',
213
'ftp://exampel.com', '//example.com'):
214
safe_url = '%(url)s?%(next)s=/view/?param=%(safe_param)s' % {
216
'next': REDIRECT_FIELD_NAME,
217
'safe_param': urllib.quote(url_)
219
response = self.client.post(safe_url, {
220
'username': 'testclient',
221
'password': password,
224
self.assertEquals(response.status_code, 302)
225
self.assertTrue('/view/?param=%s' % url_ in response['Location'], "/view/?param=%s should be allowed" % url_)
197
228
class LogoutTest(AuthViewsTestCase):
198
229
urls = 'django.contrib.auth.tests.urls'