Add test cases to ensure we can't delete objects with a GET

2025-05-01 02:32:23 +02:00 · 2021-07-14 17:00:03 +02:00 · 2021-07-14 17:00:03 +02:00 · da49012d58
commit da49012d58
parent 255aacefb3
2 changed files with 37 additions and 1 deletions
--- a/ihatemoney/tests/budget_test.py
+++ b/ihatemoney/tests/budget_test.py
@ -252,6 +252,14 @@ class BudgetTestCase(IhatemoneyTestCase):
            # project added
            self.assertEqual(len(models.Project.query.all()), 1)

+            # Check that we can't delete project with a GET or with a
+            # password-less POST.
+            resp = self.client.get("/raclette/delete")
+            self.assertEqual(resp.status_code, 405)
+            self.client.post("/raclette/delete")
+            self.assertEqual(len(models.Project.query.all()), 1)
+
+            # Delete for real
            c.post(
                "/raclette/delete",
                data={"password": "party"},
@ -552,7 +560,11 @@ class BudgetTestCase(IhatemoneyTestCase):
        bill = models.Bill.query.one()
        self.assertEqual(bill.amount, 10, "bill edition")

-        # delete the bill
+        # Try to delete the bill with a GET: it should fail
+        response = self.client.get(f"/raclette/delete/{bill.id}")
+        self.assertEqual(response.status_code, 405)
+        self.assertEqual(1, len(models.Bill.query.all()), "bill deletion")
+        # Really delete the bill
        self.client.post(f"/raclette/delete/{bill.id}")
        self.assertEqual(0, len(models.Bill.query.all()), "bill deletion")

--- a/ihatemoney/tests/history_test.py
+++ b/ihatemoney/tests/history_test.py
@ -235,6 +235,16 @@ class HistoryTestCase(IhatemoneyTestCase):
        # Disable logging
        self.change_privacy_to(LoggingMode.DISABLED)

+        # Ensure we can't clear history with a GET or with a password-less POST
+        resp = self.client.get("/demo/erase_history")
+        self.assertEqual(resp.status_code, 405)
+        resp = self.client.post("/demo/erase_history", follow_redirects=True)
+        self.assertIn(
+            "Error deleting project history",
+            resp.data.decode("utf-8"),
+        )
+
+        # List history
        resp = self.client.get("/demo/history")
        self.assertEqual(resp.status_code, 200)
        self.assertIn(
@ -299,6 +309,20 @@ class HistoryTestCase(IhatemoneyTestCase):
        self.assertEqual(resp.data.decode("utf-8").count("127.0.0.1"), 12)
        self.assertEqual(resp.data.decode("utf-8").count("<td> -- </td>"), 7)

+        # Ensure we can't clear IP data with a GET or with a password-less POST
+        resp = self.client.get("/demo/strip_ip_addresses")
+        self.assertEqual(resp.status_code, 405)
+        resp = self.client.post("/demo/strip_ip_addresses", follow_redirects=True)
+        self.assertIn(
+            "Error deleting recorded IP addresses",
+            resp.data.decode("utf-8"),
+        )
+
+        resp = self.client.get("/demo/history")
+        self.assertEqual(resp.status_code, 200)
+        self.assertEqual(resp.data.decode("utf-8").count("127.0.0.1"), 12)
+        self.assertEqual(resp.data.decode("utf-8").count("<td> -- </td>"), 7)
+
        # Clear IP Data
        resp = self.client.post(
            "/demo/strip_ip_addresses",