80 lines
2.1 KiB
Ruby
80 lines
2.1 KiB
Ruby
require File.expand_path(File.dirname(__FILE__) + '/helper')
|
|
|
|
describe "Application" do
|
|
before { Padrino.clear! }
|
|
after { remove_views }
|
|
|
|
context 'CSRF protection' do
|
|
context "with CSRF protection on" do
|
|
before do
|
|
mock_app do
|
|
enable :sessions
|
|
enable :protect_from_csrf
|
|
post('/'){ 'HI' }
|
|
end
|
|
end
|
|
|
|
should "not allow requests without tokens" do
|
|
post "/"
|
|
assert_equal 403, status
|
|
end
|
|
|
|
should "allow requests with correct tokens" do
|
|
post "/", {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"}
|
|
assert_equal 200, status
|
|
end
|
|
|
|
should "not allow requests with incorrect tokens" do
|
|
post "/", {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"}
|
|
assert_equal 403, status
|
|
end
|
|
end
|
|
|
|
context "without CSRF protection on" do
|
|
before do
|
|
mock_app do
|
|
enable :sessions
|
|
disable :protect_from_csrf
|
|
post('/'){ 'HI' }
|
|
end
|
|
end
|
|
|
|
should "allows requests without tokens" do
|
|
post "/"
|
|
assert_equal 200, status
|
|
end
|
|
|
|
should "allow requests with correct tokens" do
|
|
post "/", {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"}
|
|
assert_equal 200, status
|
|
end
|
|
|
|
should "allow requests with incorrect tokens" do
|
|
post "/", {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"}
|
|
assert_equal 200, status
|
|
end
|
|
end
|
|
|
|
context "with optional CSRF protection" do
|
|
before do
|
|
mock_app do
|
|
enable :sessions
|
|
enable :protect_from_csrf
|
|
set :allow_disabled_csrf, true
|
|
post('/on') { 'HI' }
|
|
post('/off', :csrf_protection => false) { 'HI' }
|
|
end
|
|
end
|
|
|
|
should "allow access to routes with csrf_protection off" do
|
|
post "/off"
|
|
assert_equal 200, status
|
|
end
|
|
|
|
should "not allow access to routes with csrf_protection on" do
|
|
post "/on"
|
|
assert_equal 403, status
|
|
end
|
|
end
|
|
end
|
|
end |