From 4f0a616f1bb2c7efeb5df865dcb877b1d8f947f4 Mon Sep 17 00:00:00 2001 From: Glandos Date: Sun, 18 Jul 2021 00:04:16 +0200 Subject: [PATCH] =?UTF-8?q?project=5Fid=20can=20be=20None=20in=20verify=5F?= =?UTF-8?q?token,=20don't=20make=20a=20DB=C2=A0request?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a test for valid token with invalid project_id query parameter --- ihatemoney/models.py | 2 +- ihatemoney/tests/budget_test.py | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ihatemoney/models.py b/ihatemoney/models.py index 2a4cf3a4..0de2011a 100644 --- a/ihatemoney/models.py +++ b/ihatemoney/models.py @@ -378,7 +378,7 @@ class Project(db.Model): ) loads_kwargs["max_age"] = max_age else: - project = Project.query.get(project_id) + project = Project.query.get(project_id) if project_id is not None else None password = project.password if project is not None else "" serializer = URLSafeSerializer( current_app.config["SECRET_KEY"] + password, salt=token_type diff --git a/ihatemoney/tests/budget_test.py b/ihatemoney/tests/budget_test.py index 6c858124..c0d03d28 100644 --- a/ihatemoney/tests/budget_test.py +++ b/ihatemoney/tests/budget_test.py @@ -4,6 +4,8 @@ import json import re from time import sleep import unittest +from unittest.mock import MagicMock +from urllib.parse import urlparse, urlencode, parse_qs, urlunparse from flask import session from markupsafe import Markup @@ -88,6 +90,13 @@ class BudgetTestCase(IhatemoneyTestCase): ) # Test empty and invalid tokens self.client.get("/exit") + # Use another project_id + parsed_url = urlparse(url) + query = parse_qs(parsed_url.query) + query['project_id'] = 'invalid' + resp = self.client.get(urlunparse(parsed_url._replace(query=urlencode(query, doseq=True)))) + assert "You either provided a bad token" in resp.data.decode("utf-8") + resp = self.client.get("/authenticate") self.assertIn("You either provided a bad token", resp.data.decode("utf-8")) resp = self.client.get("/authenticate?token=token")