From da49012d58cf3374d82c35afdcb26e7362369ead Mon Sep 17 00:00:00 2001
From: Baptiste Jonglez <git@bitsofnetworks.org>
Date: Wed, 14 Jul 2021 17:00:03 +0200
Subject: [PATCH] Add test cases to ensure we can't delete objects with a GET

---
 ihatemoney/tests/budget_test.py  | 14 +++++++++++++-
 ihatemoney/tests/history_test.py | 24 ++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/ihatemoney/tests/budget_test.py b/ihatemoney/tests/budget_test.py
index aa1c1c4d..1cda3990 100644
--- a/ihatemoney/tests/budget_test.py
+++ b/ihatemoney/tests/budget_test.py
@@ -252,6 +252,14 @@ class BudgetTestCase(IhatemoneyTestCase):
             # project added
             self.assertEqual(len(models.Project.query.all()), 1)
 
+            # Check that we can't delete project with a GET or with a
+            # password-less POST.
+            resp = self.client.get("/raclette/delete")
+            self.assertEqual(resp.status_code, 405)
+            self.client.post("/raclette/delete")
+            self.assertEqual(len(models.Project.query.all()), 1)
+
+            # Delete for real
             c.post(
                 "/raclette/delete",
                 data={"password": "party"},
@@ -552,7 +560,11 @@ class BudgetTestCase(IhatemoneyTestCase):
         bill = models.Bill.query.one()
         self.assertEqual(bill.amount, 10, "bill edition")
 
-        # delete the bill
+        # Try to delete the bill with a GET: it should fail
+        response = self.client.get(f"/raclette/delete/{bill.id}")
+        self.assertEqual(response.status_code, 405)
+        self.assertEqual(1, len(models.Bill.query.all()), "bill deletion")
+        # Really delete the bill
         self.client.post(f"/raclette/delete/{bill.id}")
         self.assertEqual(0, len(models.Bill.query.all()), "bill deletion")
 
diff --git a/ihatemoney/tests/history_test.py b/ihatemoney/tests/history_test.py
index 0c816477..38a3740e 100644
--- a/ihatemoney/tests/history_test.py
+++ b/ihatemoney/tests/history_test.py
@@ -235,6 +235,16 @@ class HistoryTestCase(IhatemoneyTestCase):
         # Disable logging
         self.change_privacy_to(LoggingMode.DISABLED)
 
+        # Ensure we can't clear history with a GET or with a password-less POST
+        resp = self.client.get("/demo/erase_history")
+        self.assertEqual(resp.status_code, 405)
+        resp = self.client.post("/demo/erase_history", follow_redirects=True)
+        self.assertIn(
+            "Error deleting project history",
+            resp.data.decode("utf-8"),
+        )
+
+        # List history
         resp = self.client.get("/demo/history")
         self.assertEqual(resp.status_code, 200)
         self.assertIn(
@@ -299,6 +309,20 @@ class HistoryTestCase(IhatemoneyTestCase):
         self.assertEqual(resp.data.decode("utf-8").count("127.0.0.1"), 12)
         self.assertEqual(resp.data.decode("utf-8").count("<td> -- </td>"), 7)
 
+        # Ensure we can't clear IP data with a GET or with a password-less POST
+        resp = self.client.get("/demo/strip_ip_addresses")
+        self.assertEqual(resp.status_code, 405)
+        resp = self.client.post("/demo/strip_ip_addresses", follow_redirects=True)
+        self.assertIn(
+            "Error deleting recorded IP addresses",
+            resp.data.decode("utf-8"),
+        )
+
+        resp = self.client.get("/demo/history")
+        self.assertEqual(resp.status_code, 200)
+        self.assertEqual(resp.data.decode("utf-8").count("127.0.0.1"), 12)
+        self.assertEqual(resp.data.decode("utf-8").count("<td> -- </td>"), 7)
+
         # Clear IP Data
         resp = self.client.post(
             "/demo/strip_ip_addresses",