changedetection.io/changedetectionio/tests/test_access_control.py

from flask import url_for


def test_check_access_control(app, client):
    # Still doesnt work, but this is closer.

    with app.test_client(use_cookies=True) as c:
        # Check we don't have any password protection enabled yet.
        res = c.get(url_for("settings_page"))
        assert b"Remove password" not in res.data

        # Enable password check.
        res = c.post(
            url_for("settings_page"),
            data={"password": "foobar",
                  "minutes_between_check": 180,
                  'fetch_backend': "html_requests"},
            follow_redirects=True
        )

        assert b"Password protection enabled." in res.data
        assert b"LOG OUT" not in res.data

        # Check we hit the login
        res = c.get(url_for("index"), follow_redirects=True)

        assert b"Login" in res.data

        # Menu should not be available yet
        #        assert b"SETTINGS" not in res.data
        #        assert b"BACKUP" not in res.data
        #        assert b"IMPORT" not in res.data

        # defaultuser@changedetection.io is actually hardcoded for now, we only use a single password
        res = c.post(
            url_for("login"),
            data={"password": "foobar"},
            follow_redirects=True
        )

        assert b"LOG OUT" in res.data
        res = c.get(url_for("settings_page"))

        # Menu should be available now
        assert b"SETTINGS" in res.data
        assert b"BACKUP" in res.data
        assert b"IMPORT" in res.data
        assert b"LOG OUT" in res.data
        assert b"minutes_between_check" in res.data
        assert b"fetch_backend" in res.data

        res = c.post(
            url_for("settings_page"),
            data={
                "minutes_between_check": 180,
                "tag": "",
                "headers": "",
                "fetch_backend": "html_webdriver",
                "removepassword_button": "Remove password"
            },
            follow_redirects=True,
        )

# There was a bug where saving the settings form would submit a blank password
def test_check_access_control_no_blank_password(app, client):
    # Still doesnt work, but this is closer.

    with app.test_client() as c:
        # Check we dont have any password protection enabled yet.
        res = c.get(url_for("settings_page"))
        assert b"Remove password" not in res.data

        # Enable password check.
        res = c.post(
            url_for("settings_page"),
            data={"password": "",
                  "minutes_between_check": 180,
                  'fetch_backend': "html_requests"},
            follow_redirects=True
        )

        assert b"Password protection enabled." not in res.data
        assert b"Login" not in res.data


# There was a bug where saving the settings form would submit a blank password
def test_check_access_no_remote_access_to_remove_password(app, client):
    # Still doesnt work, but this is closer.

    with app.test_client() as c:
        # Check we dont have any password protection enabled yet.
        res = c.get(url_for("settings_page"))
        assert b"Remove password" not in res.data

        # Enable password check.
        res = c.post(
            url_for("settings_page"),
            data={"password": "password",
                  "minutes_between_check": 180,
                  'fetch_backend': "html_requests"},
            follow_redirects=True
        )

        assert b"Password protection enabled." in res.data
        assert b"Login" in res.data

        res = c.post(
            url_for("settings_page"),
            data={
                "minutes_between_check": 180,
                "tag": "",
                "headers": "",
                "fetch_backend": "html_webdriver",
                "removepassword_button": "Remove password"
            },
            follow_redirects=True,
        )
        assert b"Password protection removed." not in res.data

        res = c.get(url_for("index"),
              follow_redirects=True)
        assert b"watch-table-wrapper" not in res.data
Apprise notifications (#43) * issue #4 Adding settings screen for apprise URLS * Adding test notification mechanism * Move Worker module to own class file * Adding basic notification URL runner * Tests for notifications * Tweak readme with notification info * Move notification test to main test_backend.py * Fix spacing * Adding notifications screenshot * Cleanup more files from test * Offer send notification test on individual edits and main/default * Process global notifications * All branches test * Wrap worker notification process in try/catch, use global if nothing set * Fix syntax * Handle exception, increase wait time for liveserver to come up * Fixing test setup * remove debug * Split tests into their own totally isolated setups, if you know a better way to make live_server() work, MR :) * Tidying up lint/imports 2021-05-08 01:29:41 +00:00			`from flask import url_for`

Adding tests for password control handling 2021-06-21 12:36:09 +00:00
Apprise notifications (#43) * issue #4 Adding settings screen for apprise URLS * Adding test notification mechanism * Move Worker module to own class file * Adding basic notification URL runner * Tests for notifications * Tweak readme with notification info * Move notification test to main test_backend.py * Fix spacing * Adding notifications screenshot * Cleanup more files from test * Offer send notification test on individual edits and main/default * Process global notifications * All branches test * Wrap worker notification process in try/catch, use global if nothing set * Fix syntax * Handle exception, increase wait time for liveserver to come up * Fixing test setup * remove debug * Split tests into their own totally isolated setups, if you know a better way to make live_server() work, MR :) * Tidying up lint/imports 2021-05-08 01:29:41 +00:00			`def test_check_access_control(app, client):`
			`# Still doesnt work, but this is closer.`

Security update - Use CSRF token protection for forms, make "remove password" use HTTP Post (#484) 2022-03-21 21:54:27 +00:00			`with app.test_client(use_cookies=True) as c:`
			`# Check we don't have any password protection enabled yet.`
Apprise notifications (#43) * issue #4 Adding settings screen for apprise URLS * Adding test notification mechanism * Move Worker module to own class file * Adding basic notification URL runner * Tests for notifications * Tweak readme with notification info * Move notification test to main test_backend.py * Fix spacing * Adding notifications screenshot * Cleanup more files from test * Offer send notification test on individual edits and main/default * Process global notifications * All branches test * Wrap worker notification process in try/catch, use global if nothing set * Fix syntax * Handle exception, increase wait time for liveserver to come up * Fixing test setup * remove debug * Split tests into their own totally isolated setups, if you know a better way to make live_server() work, MR :) * Tidying up lint/imports 2021-05-08 01:29:41 +00:00			`res = c.get(url_for("settings_page"))`
			`assert b"Remove password" not in res.data`

			`# Enable password check.`
			`res = c.post(`
			`url_for("settings_page"),`
Chrome/Webdriver support for Javascript websites (#114) JS Support via fetching the page over WebDriver/Selenium network Refactor forms (Split into logical tabs) 2021-08-12 10:05:59 +00:00			`data={"password": "foobar",`
			`"minutes_between_check": 180,`
			`'fetch_backend': "html_requests"},`
Apprise notifications (#43) * issue #4 Adding settings screen for apprise URLS * Adding test notification mechanism * Move Worker module to own class file * Adding basic notification URL runner * Tests for notifications * Tweak readme with notification info * Move notification test to main test_backend.py * Fix spacing * Adding notifications screenshot * Cleanup more files from test * Offer send notification test on individual edits and main/default * Process global notifications * All branches test * Wrap worker notification process in try/catch, use global if nothing set * Fix syntax * Handle exception, increase wait time for liveserver to come up * Fixing test setup * remove debug * Split tests into their own totally isolated setups, if you know a better way to make live_server() work, MR :) * Tidying up lint/imports 2021-05-08 01:29:41 +00:00			`follow_redirects=True`
			`)`
Adding tests for password control handling 2021-06-21 12:36:09 +00:00
Apprise notifications (#43) * issue #4 Adding settings screen for apprise URLS * Adding test notification mechanism * Move Worker module to own class file * Adding basic notification URL runner * Tests for notifications * Tweak readme with notification info * Move notification test to main test_backend.py * Fix spacing * Adding notifications screenshot * Cleanup more files from test * Offer send notification test on individual edits and main/default * Process global notifications * All branches test * Wrap worker notification process in try/catch, use global if nothing set * Fix syntax * Handle exception, increase wait time for liveserver to come up * Fixing test setup * remove debug * Split tests into their own totally isolated setups, if you know a better way to make live_server() work, MR :) * Tidying up lint/imports 2021-05-08 01:29:41 +00:00			`assert b"Password protection enabled." in res.data`
			`assert b"LOG OUT" not in res.data`

Adding tests for password control handling 2021-06-21 12:36:09 +00:00			`# Check we hit the login`
			`res = c.get(url_for("index"), follow_redirects=True)`
Apprise notifications (#43) * issue #4 Adding settings screen for apprise URLS * Adding test notification mechanism * Move Worker module to own class file * Adding basic notification URL runner * Tests for notifications * Tweak readme with notification info * Move notification test to main test_backend.py * Fix spacing * Adding notifications screenshot * Cleanup more files from test * Offer send notification test on individual edits and main/default * Process global notifications * All branches test * Wrap worker notification process in try/catch, use global if nothing set * Fix syntax * Handle exception, increase wait time for liveserver to come up * Fixing test setup * remove debug * Split tests into their own totally isolated setups, if you know a better way to make live_server() work, MR :) * Tidying up lint/imports 2021-05-08 01:29:41 +00:00
			`assert b"Login" in res.data`

			`# Menu should not be available yet`
Adding tests for password control handling 2021-06-21 12:36:09 +00:00			`# assert b"SETTINGS" not in res.data`
			`# assert b"BACKUP" not in res.data`
			`# assert b"IMPORT" not in res.data`
Apprise notifications (#43) * issue #4 Adding settings screen for apprise URLS * Adding test notification mechanism * Move Worker module to own class file * Adding basic notification URL runner * Tests for notifications * Tweak readme with notification info * Move notification test to main test_backend.py * Fix spacing * Adding notifications screenshot * Cleanup more files from test * Offer send notification test on individual edits and main/default * Process global notifications * All branches test * Wrap worker notification process in try/catch, use global if nothing set * Fix syntax * Handle exception, increase wait time for liveserver to come up * Fixing test setup * remove debug * Split tests into their own totally isolated setups, if you know a better way to make live_server() work, MR :) * Tidying up lint/imports 2021-05-08 01:29:41 +00:00
Adding tests for password control handling 2021-06-21 12:36:09 +00:00			`# defaultuser@changedetection.io is actually hardcoded for now, we only use a single password`
Apprise notifications (#43) * issue #4 Adding settings screen for apprise URLS * Adding test notification mechanism * Move Worker module to own class file * Adding basic notification URL runner * Tests for notifications * Tweak readme with notification info * Move notification test to main test_backend.py * Fix spacing * Adding notifications screenshot * Cleanup more files from test * Offer send notification test on individual edits and main/default * Process global notifications * All branches test * Wrap worker notification process in try/catch, use global if nothing set * Fix syntax * Handle exception, increase wait time for liveserver to come up * Fixing test setup * remove debug * Split tests into their own totally isolated setups, if you know a better way to make live_server() work, MR :) * Tidying up lint/imports 2021-05-08 01:29:41 +00:00			`res = c.post(`
			`url_for("login"),`
Adding tests for password control handling 2021-06-21 12:36:09 +00:00			`data={"password": "foobar"},`
Apprise notifications (#43) * issue #4 Adding settings screen for apprise URLS * Adding test notification mechanism * Move Worker module to own class file * Adding basic notification URL runner * Tests for notifications * Tweak readme with notification info * Move notification test to main test_backend.py * Fix spacing * Adding notifications screenshot * Cleanup more files from test * Offer send notification test on individual edits and main/default * Process global notifications * All branches test * Wrap worker notification process in try/catch, use global if nothing set * Fix syntax * Handle exception, increase wait time for liveserver to come up * Fixing test setup * remove debug * Split tests into their own totally isolated setups, if you know a better way to make live_server() work, MR :) * Tidying up lint/imports 2021-05-08 01:29:41 +00:00			`follow_redirects=True`
			`)`

			`assert b"LOG OUT" in res.data`
			`res = c.get(url_for("settings_page"))`

			`# Menu should be available now`
			`assert b"SETTINGS" in res.data`
			`assert b"BACKUP" in res.data`
			`assert b"IMPORT" in res.data`
			`assert b"LOG OUT" in res.data`
Security update - Use CSRF token protection for forms, make "remove password" use HTTP Post (#484) 2022-03-21 21:54:27 +00:00			`assert b"minutes_between_check" in res.data`
			`assert b"fetch_backend" in res.data`
Apprise notifications (#43) * issue #4 Adding settings screen for apprise URLS * Adding test notification mechanism * Move Worker module to own class file * Adding basic notification URL runner * Tests for notifications * Tweak readme with notification info * Move notification test to main test_backend.py * Fix spacing * Adding notifications screenshot * Cleanup more files from test * Offer send notification test on individual edits and main/default * Process global notifications * All branches test * Wrap worker notification process in try/catch, use global if nothing set * Fix syntax * Handle exception, increase wait time for liveserver to come up * Fixing test setup * remove debug * Split tests into their own totally isolated setups, if you know a better way to make live_server() work, MR :) * Tidying up lint/imports 2021-05-08 01:29:41 +00:00
Security update - Use CSRF token protection for forms, make "remove password" use HTTP Post (#484) 2022-03-21 21:54:27 +00:00			`res = c.post(`
			`url_for("settings_page"),`
			`data={`
			`"minutes_between_check": 180,`
			`"tag": "",`
			`"headers": "",`
			`"fetch_backend": "html_webdriver",`
			`"removepassword_button": "Remove password"`
			`},`
			`follow_redirects=True,`
			`)`
Adding tests for password control handling 2021-06-21 12:36:09 +00:00
			`# There was a bug where saving the settings form would submit a blank password`
			`def test_check_access_control_no_blank_password(app, client):`
			`# Still doesnt work, but this is closer.`

			`with app.test_client() as c:`
			`# Check we dont have any password protection enabled yet.`
			`res = c.get(url_for("settings_page"))`
			`assert b"Remove password" not in res.data`

			`# Enable password check.`
			`res = c.post(`
			`url_for("settings_page"),`
Chrome/Webdriver support for Javascript websites (#114) JS Support via fetching the page over WebDriver/Selenium network Refactor forms (Split into logical tabs) 2021-08-12 10:05:59 +00:00			`data={"password": "",`
			`"minutes_between_check": 180,`
			`'fetch_backend': "html_requests"},`
Security update - Use CSRF token protection for forms, make "remove password" use HTTP Post (#484) 2022-03-21 21:54:27 +00:00			`follow_redirects=True`
Adding tests for password control handling 2021-06-21 12:36:09 +00:00			`)`

			`assert b"Password protection enabled." not in res.data`
			`assert b"Login" not in res.data`


			`# There was a bug where saving the settings form would submit a blank password`
			`def test_check_access_no_remote_access_to_remove_password(app, client):`
			`# Still doesnt work, but this is closer.`

			`with app.test_client() as c:`
			`# Check we dont have any password protection enabled yet.`
			`res = c.get(url_for("settings_page"))`
			`assert b"Remove password" not in res.data`

			`# Enable password check.`
			`res = c.post(`
			`url_for("settings_page"),`
Security update - Use CSRF token protection for forms, make "remove password" use HTTP Post (#484) 2022-03-21 21:54:27 +00:00			`data={"password": "password",`
			`"minutes_between_check": 180,`
Chrome/Webdriver support for Javascript websites (#114) JS Support via fetching the page over WebDriver/Selenium network Refactor forms (Split into logical tabs) 2021-08-12 10:05:59 +00:00			`'fetch_backend': "html_requests"},`
Adding tests for password control handling 2021-06-21 12:36:09 +00:00			`follow_redirects=True`
			`)`

			`assert b"Password protection enabled." in res.data`
			`assert b"Login" in res.data`

Security update - Use CSRF token protection for forms, make "remove password" use HTTP Post (#484) 2022-03-21 21:54:27 +00:00			`res = c.post(`
			`url_for("settings_page"),`
			`data={`
			`"minutes_between_check": 180,`
			`"tag": "",`
			`"headers": "",`
			`"fetch_backend": "html_webdriver",`
			`"removepassword_button": "Remove password"`
			`},`
			`follow_redirects=True,`
			`)`
Adding tests for password control handling 2021-06-21 12:36:09 +00:00			`assert b"Password protection removed." not in res.data`

			`res = c.get(url_for("index"),`
			`follow_redirects=True)`
			`assert b"watch-table-wrapper" not in res.data`