From d4446b6b36f186446ae14415d9c4f7625edff387 Mon Sep 17 00:00:00 2001
From: Piotr Gawron <piotr.gawron@uni.lu>
Date: Mon, 8 Jan 2018 18:00:37 +0100
Subject: [PATCH] unit test showing security issue
---
smash/web/tests/view/test_doctor.py | 34 +++++++++++++++++++++++------
1 file changed, 27 insertions(+), 7 deletions(-)
diff --git a/smash/web/tests/view/test_doctor.py b/smash/web/tests/view/test_doctor.py
index 5689a186..dbcbd3d3 100644
--- a/smash/web/tests/view/test_doctor.py
+++ b/smash/web/tests/view/test_doctor.py
@@ -30,6 +30,32 @@ class DoctorViewTests(LoggedInTestCase):
location = create_location()
count = Worker.objects.all().count()
+ form_data = self.create_add_worker_form_data(language, location)
+
+ response = self.client.post(reverse('web.views.doctor_add'), data=form_data)
+
+ self.assertEqual(response.status_code, 302)
+
+ new_count = Worker.objects.all().count()
+ self.assertEqual(count + 1, new_count)
+
+ def test_security_in_worker_added_request(self):
+ self.client.logout()
+
+ language = create_language()
+ location = create_location()
+ count = Worker.objects.all().count()
+
+ form_data = self.create_add_worker_form_data(language, location)
+
+ self.client.post(reverse('web.views.doctor_add'), data=form_data)
+
+ new_count = Worker.objects.all().count()
+ # new user shouldn't be added
+ self.assertEqual(count, new_count)
+
+ @staticmethod
+ def create_add_worker_form_data(language, location):
form = WorkerAddForm()
form_data = {}
for key, value in form.initial.items():
@@ -44,13 +70,7 @@ class DoctorViewTests(LoggedInTestCase):
form_data["specialization"] = "tester"
form_data["languages"] = [language.id]
form_data["locations"] = [location.id]
-
- response = self.client.post(reverse('web.views.doctor_add'), data=form_data)
-
- self.assertEqual(response.status_code, 302)
-
- new_count = Worker.objects.all().count()
- self.assertEqual(count + 1, new_count)
+ return form_data
def test_render_edit_worker_request(self):
worker = create_worker()
--
GitLab