From 8cb68ee8a1928bc9fd6f6d44937b3a8ea84b1f43 Mon Sep 17 00:00:00 2001 From: Phil Manavopoulos Date: Tue, 12 Sep 2017 15:53:55 +0100 Subject: Add test to assert that AJAX calls are also authenticated --- test/tc_mauve_web_interface.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'test') diff --git a/test/tc_mauve_web_interface.rb b/test/tc_mauve_web_interface.rb index 54c9697..d2817d5 100644 --- a/test/tc_mauve_web_interface.rb +++ b/test/tc_mauve_web_interface.rb @@ -112,13 +112,21 @@ EOF assert last_response.body.include?("Mauve: Login") assert session['__FLASH__'].empty? - # Check we can access this page before logging in. + # Check we can't access this page before logging in. get '/alerts' assert(session['__FLASH__'].has_key?(:error),"The flash error wasn't set following forbidden access") follow_redirect! while last_response.redirect? assert_equal(403, last_response.status, "The HTTP status wasn't 403") assert last_response.body.include?("Mauve: Login") assert session['__FLASH__'].empty? + + # Check we can't access AJAX requests before logging in. + get '/ajax/alerts_table/raised/subject' + refute(session['__FLASH__'].has_key?(:error), "The flash error shouldn't have been set from an AJAX call") + follow_redirect! while last_response.redirect? + assert_equal(403, last_response.status, "The HTTP status wasn't 403") + assert last_response.body.include?('You must be logged in to access this page') + assert session['__FLASH__'].empty? # # Try to falsify our login. -- cgit v1.2.1 From 464901c752385592b5d574191c8871034c011f50 Mon Sep 17 00:00:00 2001 From: Phil Manavopoulos Date: Tue, 12 Sep 2017 16:01:18 +0100 Subject: Correctly make AJAX request in test --- test/tc_mauve_web_interface.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test') diff --git a/test/tc_mauve_web_interface.rb b/test/tc_mauve_web_interface.rb index d2817d5..c93c25c 100644 --- a/test/tc_mauve_web_interface.rb +++ b/test/tc_mauve_web_interface.rb @@ -121,7 +121,7 @@ EOF assert session['__FLASH__'].empty? # Check we can't access AJAX requests before logging in. - get '/ajax/alerts_table/raised/subject' + get '/ajax/alerts_table/raised/subject', {}, {:xhr => true} refute(session['__FLASH__'].has_key?(:error), "The flash error shouldn't have been set from an AJAX call") follow_redirect! while last_response.redirect? assert_equal(403, last_response.status, "The HTTP status wasn't 403") -- cgit v1.2.1