diff --git a/kallithea/config/routing.py b/kallithea/config/routing.py --- a/kallithea/config/routing.py +++ b/kallithea/config/routing.py @@ -447,7 +447,7 @@ def make_map(config): ) # LOGIN/LOGOUT/REGISTER/SIGN IN - rmap.connect('authentication_token', '%s/authentication_token' % ADMIN_PREFIX, controller='login', action='authentication_token') + rmap.connect('session_csrf_secret_token', '%s/session_csrf_secret_token' % ADMIN_PREFIX, controller='login', action='session_csrf_secret_token') rmap.connect('login_home', '%s/login' % ADMIN_PREFIX, controller='login') rmap.connect('logout_home', '%s/logout' % ADMIN_PREFIX, controller='login', action='logout') diff --git a/kallithea/controllers/login.py b/kallithea/controllers/login.py --- a/kallithea/controllers/login.py +++ b/kallithea/controllers/login.py @@ -249,7 +249,7 @@ class LoginController(BaseController): log.info('Logging out and deleting session for user') raise HTTPFound(location=url('home')) - def authentication_token(self): + def session_csrf_secret_token(self): """Return the CSRF protection token for the session - just like it could have been screen scraped from a page with a form. Only intended for testing but might also be useful for other kinds diff --git a/kallithea/lib/helpers.py b/kallithea/lib/helpers.py --- a/kallithea/lib/helpers.py +++ b/kallithea/lib/helpers.py @@ -1273,7 +1273,7 @@ def ip_range(ip_addr): return '%s - %s' % (s, e) -session_csrf_secret_name = "_authentication_token" +session_csrf_secret_name = "_session_csrf_secret_token" def session_csrf_secret_token(): """Return (and create) the current session's CSRF protection token.""" diff --git a/kallithea/public/js/base.js b/kallithea/public/js/base.js --- a/kallithea/public/js/base.js +++ b/kallithea/public/js/base.js @@ -408,7 +408,7 @@ var ajaxGET = function(url, success, fai }; var ajaxPOST = function(url, postData, success, failure) { - postData['_authentication_token'] = _session_csrf_secret_token; + postData['_session_csrf_secret_token'] = _session_csrf_secret_token; var postData = _toQueryString(postData); if(failure === undefined) { failure = function(jqXHR, textStatus, errorThrown) { @@ -458,7 +458,7 @@ var _onSuccessFollow = function(target){ var toggleFollowingRepo = function(target, follows_repository_id){ var args = 'follows_repository_id=' + follows_repository_id; - args += '&_authentication_token=' + _session_csrf_secret_token; + args += '&_session_csrf_secret_token=' + _session_csrf_secret_token; $.post(TOGGLE_FOLLOW_URL, args, function(data){ _onSuccessFollow(target); }); @@ -466,7 +466,7 @@ var toggleFollowingRepo = function(targe }; var showRepoSize = function(target, repo_name){ - var args = '_authentication_token=' + _session_csrf_secret_token; + var args = '_session_csrf_secret_token=' + _session_csrf_secret_token; if(!$("#" + target).hasClass('loaded')){ $("#" + target).html(_TM['Loading ...']); diff --git a/kallithea/templates/admin/gists/edit.html b/kallithea/templates/admin/gists/edit.html --- a/kallithea/templates/admin/gists/edit.html +++ b/kallithea/templates/admin/gists/edit.html @@ -153,7 +153,7 @@ // check for newer version. $.ajax({ url: ${h.js(h.url('edit_gist_check_revision', gist_id=c.gist.gist_access_id))}, - data: {'revision': ${h.js(c.file_changeset.raw_id)}, '_authentication_token': _session_csrf_secret_token}, + data: {'revision': ${h.js(c.file_changeset.raw_id)}, '_session_csrf_secret_token': _session_csrf_secret_token}, dataType: 'json', type: 'POST', success: function(data) { diff --git a/kallithea/tests/base.py b/kallithea/tests/base.py --- a/kallithea/tests/base.py +++ b/kallithea/tests/base.py @@ -157,7 +157,7 @@ class TestController(object): response = self.app.post(url(controller='login', action='index'), {'username': username, 'password': password, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) if 'Invalid username or password' in response.body: pytest.fail('could not login using %s %s' % (username, password)) @@ -178,8 +178,8 @@ class TestController(object): user = user and user.username assert user == expected_username - def authentication_token(self): - return self.app.get(url('authentication_token')).body + def session_csrf_secret_token(self): + return self.app.get(url('session_csrf_secret_token')).body def checkSessionFlash(self, response, msg=None, skip=0, _matcher=lambda msg, m: msg in m): if 'flash' not in response.session: diff --git a/kallithea/tests/functional/test_admin_auth_settings.py b/kallithea/tests/functional/test_admin_auth_settings.py --- a/kallithea/tests/functional/test_admin_auth_settings.py +++ b/kallithea/tests/functional/test_admin_auth_settings.py @@ -6,7 +6,7 @@ class TestAuthSettingsController(TestCon def _enable_plugins(self, plugins_list): test_url = url(controller='admin/auth_settings', action='auth_settings') - params={'auth_plugins': plugins_list, '_authentication_token': self.authentication_token()} + params={'auth_plugins': plugins_list, '_session_csrf_secret_token': self.session_csrf_secret_token()} for plugin in plugins_list.split(','): enable = plugin.partition('kallithea.lib.auth_modules.')[-1] diff --git a/kallithea/tests/functional/test_admin_defaults.py b/kallithea/tests/functional/test_admin_defaults.py --- a/kallithea/tests/functional/test_admin_defaults.py +++ b/kallithea/tests/functional/test_admin_defaults.py @@ -18,12 +18,12 @@ class TestDefaultsController(TestControl 'default_repo_enable_statistics': True, 'default_repo_private': True, 'default_repo_type': 'hg', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), } response = self.app.post(url('defaults_update', id='default'), params=params) self.checkSessionFlash(response, 'Default settings updated successfully') - params.pop('_authentication_token') + params.pop('_session_csrf_secret_token') defs = Setting.get_default_repo_settings() assert params == defs @@ -34,11 +34,11 @@ class TestDefaultsController(TestControl 'default_repo_enable_statistics': False, 'default_repo_private': False, 'default_repo_type': 'git', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), } response = self.app.post(url('defaults_update', id='default'), params=params) self.checkSessionFlash(response, 'Default settings updated successfully') - params.pop('_authentication_token') + params.pop('_session_csrf_secret_token') defs = Setting.get_default_repo_settings() assert params == defs diff --git a/kallithea/tests/functional/test_admin_gists.py b/kallithea/tests/functional/test_admin_gists.py --- a/kallithea/tests/functional/test_admin_gists.py +++ b/kallithea/tests/functional/test_admin_gists.py @@ -56,7 +56,7 @@ class TestGistsController(TestController def test_create_missing_description(self): self.log_user() response = self.app.post(url('gists'), - params={'lifetime': -1, '_authentication_token': self.authentication_token()}, + params={'lifetime': -1, '_session_csrf_secret_token': self.session_csrf_secret_token()}, status=200) response.mustcontain('Missing value') @@ -68,7 +68,7 @@ class TestGistsController(TestController 'content': 'gist test', 'filename': 'foo', 'public': 'public', - '_authentication_token': self.authentication_token()}, + '_session_csrf_secret_token': self.session_csrf_secret_token()}, status=302) response = response.follow() response.mustcontain('added file: foo') @@ -82,7 +82,7 @@ class TestGistsController(TestController 'content': 'gist test', 'filename': '/home/foo', 'public': 'public', - '_authentication_token': self.authentication_token()}, + '_session_csrf_secret_token': self.session_csrf_secret_token()}, status=200) response.mustcontain('Filename cannot be inside a directory') @@ -101,7 +101,7 @@ class TestGistsController(TestController 'content': 'private gist test', 'filename': 'private-foo', 'private': 'private', - '_authentication_token': self.authentication_token()}, + '_session_csrf_secret_token': self.session_csrf_secret_token()}, status=302) response = response.follow() response.mustcontain('added file: private-foo<') @@ -116,7 +116,7 @@ class TestGistsController(TestController 'filename': 'foo-desc', 'description': 'gist-desc', 'public': 'public', - '_authentication_token': self.authentication_token()}, + '_session_csrf_secret_token': self.session_csrf_secret_token()}, status=302) response = response.follow() response.mustcontain('added file: foo-desc') @@ -132,19 +132,19 @@ class TestGistsController(TestController self.log_user() gist = _create_gist('delete-me') response = self.app.post(url('gist_delete', gist_id=gist.gist_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) def test_delete_normal_user_his_gist(self): self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) gist = _create_gist('delete-me', owner=TEST_USER_REGULAR_LOGIN) response = self.app.post(url('gist_delete', gist_id=gist.gist_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) def test_delete_normal_user_not_his_own_gist(self): self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) gist = _create_gist('delete-me') response = self.app.post(url('gist_delete', gist_id=gist.gist_id), status=403, - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) def test_show(self): gist = _create_gist('gist-show-me') diff --git a/kallithea/tests/functional/test_admin_permissions.py b/kallithea/tests/functional/test_admin_permissions.py --- a/kallithea/tests/functional/test_admin_permissions.py +++ b/kallithea/tests/functional/test_admin_permissions.py @@ -29,7 +29,7 @@ class TestAdminPermissionsController(Tes response = self.app.post(url('edit_user_ips_update', id=default_user_id), params=dict(new_ip='0.0.0.0/24', - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) invalidate_all_caches() response = self.app.get(url('admin_permissions_ips'), extra_environ={'REMOTE_ADDR': '0.0.0.1'}) @@ -43,7 +43,7 @@ class TestAdminPermissionsController(Tes response = self.app.post(url('edit_user_ips_update', id=default_user_id), params=dict(new_ip='0.0.1.0/24', - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) invalidate_all_caches() response = self.app.get(url('admin_permissions_ips'), @@ -54,7 +54,7 @@ class TestAdminPermissionsController(Tes x = UserIpMap.query().filter_by(ip_addr='0.0.1.0/24').first() response = self.app.post(url('edit_user_ips_delete', id=default_user_id), params=dict(del_ip_id=x.ip_id, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) invalidate_all_caches() response = self.app.get(url('admin_permissions_ips'), @@ -65,7 +65,7 @@ class TestAdminPermissionsController(Tes x = UserIpMap.query().filter_by(ip_addr='0.0.0.0/24').first() response = self.app.post(url('edit_user_ips_delete', id=default_user_id), params=dict(del_ip_id=x.ip_id, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) invalidate_all_caches() response = self.app.get(url('admin_permissions_ips'), @@ -86,7 +86,7 @@ class TestAdminPermissionsController(Tes perm_new_member_1='repository.read', perm_new_member_name_1=user.username, perm_new_member_type_1='user', - _authentication_token=self.authentication_token()), + _session_csrf_secret_token=self.session_csrf_secret_token()), status=302) assert not response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO)) @@ -97,7 +97,7 @@ class TestAdminPermissionsController(Tes params=dict( obj_type='user', user_id=user.user_id, - _authentication_token=self.authentication_token()), + _session_csrf_secret_token=self.session_csrf_secret_token()), status=302) assert response.location.endswith(url('login_home', came_from=url('edit_repo_perms_revoke', repo_name=HG_REPO))) @@ -111,7 +111,7 @@ class TestAdminPermissionsController(Tes perm_new_member_1='repository.read', perm_new_member_name_1=user.username, perm_new_member_type_1='user', - _authentication_token=self.authentication_token()), + _session_csrf_secret_token=self.session_csrf_secret_token()), status=302) assert response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO)) @@ -121,6 +121,6 @@ class TestAdminPermissionsController(Tes params=dict( obj_type='user', user_id=user.user_id, - _authentication_token=self.authentication_token()), + _session_csrf_secret_token=self.session_csrf_secret_token()), status=200) assert not response.body diff --git a/kallithea/tests/functional/test_admin_repo_groups.py b/kallithea/tests/functional/test_admin_repo_groups.py --- a/kallithea/tests/functional/test_admin_repo_groups.py +++ b/kallithea/tests/functional/test_admin_repo_groups.py @@ -15,12 +15,12 @@ class TestRepoGroupsController(TestContr group_name = u'newgroup' response = self.app.post(url('repos_groups'), fixture._get_repo_group_create_params(group_name=group_name, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) # try to create repo group with swapped case swapped_group_name = group_name.swapcase() response = self.app.post(url('repos_groups'), fixture._get_repo_group_create_params(group_name=swapped_group_name, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) response.mustcontain('already exists') RepoGroupModel().delete(group_name) diff --git a/kallithea/tests/functional/test_admin_repos.py b/kallithea/tests/functional/test_admin_repos.py --- a/kallithea/tests/functional/test_admin_repos.py +++ b/kallithea/tests/functional/test_admin_repos.py @@ -53,7 +53,7 @@ class _BaseTestCase(TestController): repo_name=repo_name, repo_type=self.REPO_TYPE, repo_description=description, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name)) assert response.json == {u'result': True} @@ -91,7 +91,7 @@ class _BaseTestCase(TestController): repo_name=repo_name, repo_type=self.REPO_TYPE, repo_description=description, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) # try to create repo with swapped case swapped_repo_name = repo_name.swapcase() response = self.app.post(url('repos'), @@ -99,7 +99,7 @@ class _BaseTestCase(TestController): repo_name=swapped_repo_name, repo_type=self.REPO_TYPE, repo_description=description, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) response.mustcontain('already exists') RepoModel().delete(repo_name) @@ -124,7 +124,7 @@ class _BaseTestCase(TestController): repo_type=self.REPO_TYPE, repo_description=description, repo_group=gr.group_id, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name_full)) assert response.json == {u'result': True} @@ -163,7 +163,7 @@ class _BaseTestCase(TestController): def test_create_in_group_without_needed_permissions(self): usr = self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) # avoid spurious RepoGroup DetachedInstanceError ... - authentication_token = self.authentication_token() + session_csrf_secret_token = self.session_csrf_secret_token() # revoke user_model = UserModel() # disable fork and create on default user @@ -201,7 +201,7 @@ class _BaseTestCase(TestController): repo_type=self.REPO_TYPE, repo_description=description, repo_group=gr.group_id, - _authentication_token=authentication_token)) + _session_csrf_secret_token=session_csrf_secret_token)) response.mustcontain('Invalid value') @@ -215,7 +215,7 @@ class _BaseTestCase(TestController): repo_type=self.REPO_TYPE, repo_description=description, repo_group=gr_allowed.group_id, - _authentication_token=authentication_token)) + _session_csrf_secret_token=session_csrf_secret_token)) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name_full)) @@ -277,7 +277,7 @@ class _BaseTestCase(TestController): repo_description=description, repo_group=gr.group_id, repo_copy_permissions=True, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name_full)) @@ -329,7 +329,7 @@ class _BaseTestCase(TestController): repo_type=self.REPO_TYPE, repo_description=description, clone_uri='http://127.0.0.1/repo', - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) response.mustcontain('Invalid repository URL') def test_create_remote_repo_wrong_clone_uri_hg_svn(self): @@ -342,7 +342,7 @@ class _BaseTestCase(TestController): repo_type=self.REPO_TYPE, repo_description=description, clone_uri='svn+http://127.0.0.1/repo', - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) response.mustcontain('Invalid repository URL') def test_delete(self): @@ -354,7 +354,7 @@ class _BaseTestCase(TestController): repo_type=self.REPO_TYPE, repo_name=repo_name, repo_description=description, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name)) self.checkSessionFlash(response, @@ -379,7 +379,7 @@ class _BaseTestCase(TestController): pytest.fail('no repo %s in filesystem' % repo_name) response = self.app.post(url('delete_repo', repo_name=repo_name), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Deleted repository %s' % (repo_name)) @@ -405,7 +405,7 @@ class _BaseTestCase(TestController): repo_name=repo_name, repo_type=self.REPO_TYPE, repo_description=description, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) ## run the check page that triggers the flash message response = self.app.get(url('repo_check_home', repo_name=repo_name)) assert response.json == {u'result': True} @@ -431,7 +431,7 @@ class _BaseTestCase(TestController): pytest.fail('no repo %s in filesystem' % repo_name) response = self.app.post(url('delete_repo', repo_name=repo_name), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Deleted repository %s' % (repo_name_unicode)) response.follow() @@ -449,7 +449,7 @@ class _BaseTestCase(TestController): def test_delete_browser_fakeout(self): response = self.app.post(url('delete_repo', repo_name=self.REPO), - params=dict(_authentication_token=self.authentication_token())) + params=dict(_session_csrf_secret_token=self.session_csrf_secret_token())) def test_show(self): self.log_user() @@ -471,7 +471,7 @@ class _BaseTestCase(TestController): repo_name=self.REPO, repo_type=self.REPO_TYPE, owner=TEST_USER_ADMIN_LOGIN, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) self.checkSessionFlash(response, msg='Repository %s updated successfully' % (self.REPO)) assert Repository.get_by_repo_name(self.REPO).private == True @@ -486,7 +486,7 @@ class _BaseTestCase(TestController): repo_name=self.REPO, repo_type=self.REPO_TYPE, owner=TEST_USER_ADMIN_LOGIN, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) self.checkSessionFlash(response, msg='Repository %s updated successfully' % (self.REPO)) assert Repository.get_by_repo_name(self.REPO).private == False @@ -514,7 +514,7 @@ class _BaseTestCase(TestController): repo = Repository.get_by_repo_name(self.REPO) repo2 = Repository.get_by_repo_name(other_repo) response = self.app.post(url('edit_repo_advanced_fork', repo_name=self.REPO), - params=dict(id_fork_of=repo2.repo_id, _authentication_token=self.authentication_token())) + params=dict(id_fork_of=repo2.repo_id, _session_csrf_secret_token=self.session_csrf_secret_token())) repo = Repository.get_by_repo_name(self.REPO) repo2 = Repository.get_by_repo_name(other_repo) self.checkSessionFlash(response, @@ -535,7 +535,7 @@ class _BaseTestCase(TestController): repo = Repository.get_by_repo_name(self.REPO) repo2 = Repository.get_by_repo_name(self.OTHER_TYPE_REPO) response = self.app.post(url('edit_repo_advanced_fork', repo_name=self.REPO), - params=dict(id_fork_of=repo2.repo_id, _authentication_token=self.authentication_token())) + params=dict(id_fork_of=repo2.repo_id, _session_csrf_secret_token=self.session_csrf_secret_token())) repo = Repository.get_by_repo_name(self.REPO) repo2 = Repository.get_by_repo_name(self.OTHER_TYPE_REPO) self.checkSessionFlash(response, @@ -545,7 +545,7 @@ class _BaseTestCase(TestController): self.log_user() ## mark it as None response = self.app.post(url('edit_repo_advanced_fork', repo_name=self.REPO), - params=dict(id_fork_of=None, _authentication_token=self.authentication_token())) + params=dict(id_fork_of=None, _session_csrf_secret_token=self.session_csrf_secret_token())) repo = Repository.get_by_repo_name(self.REPO) repo2 = Repository.get_by_repo_name(self.OTHER_TYPE_REPO) self.checkSessionFlash(response, @@ -557,7 +557,7 @@ class _BaseTestCase(TestController): self.log_user() repo = Repository.get_by_repo_name(self.REPO) response = self.app.post(url('edit_repo_advanced_fork', repo_name=self.REPO), - params=dict(id_fork_of=repo.repo_id, _authentication_token=self.authentication_token())) + params=dict(id_fork_of=repo.repo_id, _session_csrf_secret_token=self.session_csrf_secret_token())) self.checkSessionFlash(response, 'An error occurred during this operation') @@ -588,7 +588,7 @@ class _BaseTestCase(TestController): repo_name=repo_name, repo_type=self.REPO_TYPE, repo_description=description, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) response.mustcontain('Invalid value') @@ -606,7 +606,7 @@ class _BaseTestCase(TestController): repo_name=repo_name, repo_type=self.REPO_TYPE, repo_description=description, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) self.checkSessionFlash(response, 'Error creating repository %s' % repo_name) diff --git a/kallithea/tests/functional/test_admin_settings.py b/kallithea/tests/functional/test_admin_settings.py --- a/kallithea/tests/functional/test_admin_settings.py +++ b/kallithea/tests/functional/test_admin_settings.py @@ -38,7 +38,7 @@ class TestAdminSettingsController(TestCo response = self.app.post(url('admin_settings_hooks'), params=dict(new_hook_ui_key='test_hooks_1', new_hook_ui_value='cd %s' % TESTS_TMP_PATH, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) self.checkSessionFlash(response, 'Added new hook') response = response.follow() @@ -51,7 +51,7 @@ class TestAdminSettingsController(TestCo params=dict(hook_ui_key='test_hooks_1', hook_ui_value='old_value_of_hook_1', hook_ui_value_new='new_value_of_hook_1', - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) response = response.follow() response.mustcontain('test_hooks_1') @@ -62,7 +62,7 @@ class TestAdminSettingsController(TestCo response = self.app.post(url('admin_settings_hooks'), params=dict(new_hook_ui_key='test_hooks_1', new_hook_ui_value='attempted_new_value', - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) self.checkSessionFlash(response, 'Hook already exists') response = response.follow() @@ -74,7 +74,7 @@ class TestAdminSettingsController(TestCo response = self.app.post(url('admin_settings_hooks'), params=dict(new_hook_ui_key='test_hooks_2', new_hook_ui_value='cd %s2' % TESTS_TMP_PATH, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) self.checkSessionFlash(response, 'Added new hook') response = response.follow() @@ -84,7 +84,7 @@ class TestAdminSettingsController(TestCo hook_id = Ui.get_by_key('hooks', 'test_hooks_2').ui_id ## delete self.app.post(url('admin_settings_hooks'), - params=dict(hook_id=hook_id, _authentication_token=self.authentication_token())) + params=dict(hook_id=hook_id, _session_csrf_secret_token=self.session_csrf_secret_token())) response = self.app.get(url('admin_settings_hooks')) response.mustcontain(no=['test_hooks_2']) response.mustcontain(no=['cd %s2' % TESTS_TMP_PATH]) @@ -94,7 +94,7 @@ class TestAdminSettingsController(TestCo response = self.app.post(url('admin_settings_hooks'), params=dict(new_hook_ui_key='changegroup.update', new_hook_ui_value='attempted_new_value', - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) self.checkSessionFlash(response, 'Builtin hooks are read-only') response = response.follow() @@ -120,7 +120,7 @@ class TestAdminSettingsController(TestCo ga_code=new_ga_code, captcha_private_key='', captcha_public_key='', - _authentication_token=self.authentication_token(), + _session_csrf_secret_token=self.session_csrf_secret_token(), )) self.checkSessionFlash(response, 'Updated application settings') @@ -141,7 +141,7 @@ class TestAdminSettingsController(TestCo ga_code=new_ga_code, captcha_private_key='', captcha_public_key='', - _authentication_token=self.authentication_token(), + _session_csrf_secret_token=self.session_csrf_secret_token(), )) self.checkSessionFlash(response, 'Updated application settings') @@ -161,7 +161,7 @@ class TestAdminSettingsController(TestCo ga_code=new_ga_code, captcha_private_key='1234567890', captcha_public_key='1234567890', - _authentication_token=self.authentication_token(), + _session_csrf_secret_token=self.session_csrf_secret_token(), )) self.checkSessionFlash(response, 'Updated application settings') @@ -181,7 +181,7 @@ class TestAdminSettingsController(TestCo ga_code=new_ga_code, captcha_private_key='', captcha_public_key='1234567890', - _authentication_token=self.authentication_token(), + _session_csrf_secret_token=self.session_csrf_secret_token(), )) self.checkSessionFlash(response, 'Updated application settings') @@ -203,7 +203,7 @@ class TestAdminSettingsController(TestCo ga_code='', captcha_private_key='', captcha_public_key='', - _authentication_token=self.authentication_token(), + _session_csrf_secret_token=self.session_csrf_secret_token(), )) self.checkSessionFlash(response, 'Updated application settings') diff --git a/kallithea/tests/functional/test_admin_user_groups.py b/kallithea/tests/functional/test_admin_user_groups.py --- a/kallithea/tests/functional/test_admin_user_groups.py +++ b/kallithea/tests/functional/test_admin_user_groups.py @@ -20,7 +20,7 @@ class TestAdminUsersGroupsController(Tes {'users_group_name': users_group_name, 'user_group_description': u'DESC', 'active': True, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.follow() self.checkSessionFlash(response, @@ -36,7 +36,7 @@ class TestAdminUsersGroupsController(Tes def test_update_browser_fakeout(self): response = self.app.post(url('update_users_group', id=1), - params=dict(_authentication_token=self.authentication_token())) + params=dict(_session_csrf_secret_token=self.session_csrf_secret_token())) def test_delete(self): self.log_user() @@ -45,7 +45,7 @@ class TestAdminUsersGroupsController(Tes {'users_group_name': users_group_name, 'user_group_description': u'DESC', 'active': True, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.follow() self.checkSessionFlash(response, @@ -55,7 +55,7 @@ class TestAdminUsersGroupsController(Tes .filter(UserGroup.users_group_name == users_group_name).one() response = self.app.post(url('delete_users_group', id=gr.users_group_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) gr = Session().query(UserGroup) \ .filter(UserGroup.users_group_name == users_group_name).scalar() @@ -69,7 +69,7 @@ class TestAdminUsersGroupsController(Tes {'users_group_name': users_group_name, 'user_group_description': u'DESC', 'active': True, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.follow() ug = UserGroup.get_by_group_name(users_group_name) @@ -79,7 +79,7 @@ class TestAdminUsersGroupsController(Tes response = self.app.post(url('edit_user_group_default_perms_update', id=ug.users_group_id), {'create_repo_perm': True, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.follow() ug = UserGroup.get_by_group_name(users_group_name) p = Permission.get_by_key('hg.create.repository') @@ -97,7 +97,7 @@ class TestAdminUsersGroupsController(Tes ## DISABLE REPO CREATE ON A GROUP response = self.app.post( url('edit_user_group_default_perms_update', id=ug.users_group_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) response.follow() ug = UserGroup.get_by_group_name(users_group_name) @@ -118,7 +118,7 @@ class TestAdminUsersGroupsController(Tes ug = UserGroup.get_by_group_name(users_group_name) ugid = ug.users_group_id response = self.app.post(url('delete_users_group', id=ug.users_group_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) response = response.follow() gr = Session().query(UserGroup) \ .filter(UserGroup.users_group_name == users_group_name).scalar() @@ -138,7 +138,7 @@ class TestAdminUsersGroupsController(Tes {'users_group_name': users_group_name, 'user_group_description': u'DESC', 'active': True, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.follow() ug = UserGroup.get_by_group_name(users_group_name) @@ -147,7 +147,7 @@ class TestAdminUsersGroupsController(Tes ## ENABLE REPO CREATE ON A GROUP response = self.app.post(url('edit_user_group_default_perms_update', id=ug.users_group_id), - {'fork_repo_perm': True, '_authentication_token': self.authentication_token()}) + {'fork_repo_perm': True, '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.follow() ug = UserGroup.get_by_group_name(users_group_name) @@ -165,7 +165,7 @@ class TestAdminUsersGroupsController(Tes ## DISABLE REPO CREATE ON A GROUP response = self.app.post(url('edit_user_group_default_perms_update', id=ug.users_group_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) response.follow() ug = UserGroup.get_by_group_name(users_group_name) @@ -185,7 +185,7 @@ class TestAdminUsersGroupsController(Tes ug = UserGroup.get_by_group_name(users_group_name) ugid = ug.users_group_id response = self.app.post(url('delete_users_group', id=ug.users_group_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) response = response.follow() gr = Session().query(UserGroup) \ .filter(UserGroup.users_group_name == @@ -201,4 +201,4 @@ class TestAdminUsersGroupsController(Tes def test_delete_browser_fakeout(self): response = self.app.post(url('delete_users_group', id=1), - params=dict(_authentication_token=self.authentication_token())) + params=dict(_session_csrf_secret_token=self.session_csrf_secret_token())) diff --git a/kallithea/tests/functional/test_admin_users.py b/kallithea/tests/functional/test_admin_users.py --- a/kallithea/tests/functional/test_admin_users.py +++ b/kallithea/tests/functional/test_admin_users.py @@ -76,7 +76,7 @@ class TestAdminUsersController(TestContr 'extern_name': 'internal', 'extern_type': 'internal', 'email': email, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) # 302 Found # The resource was found at http://localhost/_admin/users/5/edit; you should be redirected automatically. @@ -109,7 +109,7 @@ class TestAdminUsersController(TestContr 'active': False, 'lastname': lastname, 'email': email, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) with test_context(self.app): msg = validators.ValidUsername(False, {})._messages['system_invalid_username'] @@ -166,10 +166,10 @@ class TestAdminUsersController(TestContr # special case since this user is not logged in yet his data is # not filled so we use creation data - params.update({'_authentication_token': self.authentication_token()}) + params.update({'_session_csrf_secret_token': self.session_csrf_secret_token()}) response = self.app.post(url('update_user', id=usr.user_id), params) self.checkSessionFlash(response, 'User updated successfully') - params.pop('_authentication_token') + params.pop('_session_csrf_secret_token') updated_user = User.get_by_username(self.test_user_1) updated_params = updated_user.get_api_data(True) @@ -187,7 +187,7 @@ class TestAdminUsersController(TestContr new_user = Session().query(User) \ .filter(User.username == username).one() response = self.app.post(url('delete_user', id=new_user.user_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Successfully deleted user') @@ -202,18 +202,18 @@ class TestAdminUsersController(TestContr new_user = Session().query(User) \ .filter(User.username == username).one() response = self.app.post(url('delete_user', id=new_user.user_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'User "%s" still ' 'owns 1 repositories and cannot be removed. ' 'Switch owners or remove those repositories: ' '%s' % (username, reponame)) response = self.app.post(url('delete_repo', repo_name=reponame), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Deleted repository %s' % reponame) response = self.app.post(url('delete_user', id=new_user.user_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Successfully deleted user') def test_delete_repo_group_err(self, user_and_repo_group_fail): @@ -224,7 +224,7 @@ class TestAdminUsersController(TestContr self.log_user() response = self.app.post(url('delete_user', id=new_user.user_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'User "%s" still ' 'owns 1 repository groups and cannot be removed. ' 'Switch owners or remove those repository groups: ' @@ -235,11 +235,11 @@ class TestAdminUsersController(TestContr # response = self.app.get(url('repos_groups', id=rg.group_id)) response = self.app.post(url('delete_repo_group', group_name=groupname), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Removed repository group %s' % groupname) response = self.app.post(url('delete_user', id=new_user.user_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Successfully deleted user') def test_delete_user_group_err(self): @@ -253,7 +253,7 @@ class TestAdminUsersController(TestContr new_user = Session().query(User) \ .filter(User.username == username).one() response = self.app.post(url('delete_user', id=new_user.user_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'User "%s" still ' 'owns 1 user groups and cannot be removed. ' 'Switch owners or remove those user groups: ' @@ -266,7 +266,7 @@ class TestAdminUsersController(TestContr fixture.destroy_user_group(ug.users_group_id) response = self.app.post(url('delete_user', id=new_user.user_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Successfully deleted user') def test_edit(self): @@ -292,7 +292,7 @@ class TestAdminUsersController(TestContr response = self.app.post(url('edit_user_perms_update', id=uid), params=dict(create_repo_perm=True, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) perm_none = Permission.get_by_key('hg.create.none') perm_create = Permission.get_by_key('hg.create.repository') @@ -321,7 +321,7 @@ class TestAdminUsersController(TestContr assert UserModel().has_perm(user, perm_create) == False response = self.app.post(url('edit_user_perms_update', id=uid), - params=dict(_authentication_token=self.authentication_token())) + params=dict(_session_csrf_secret_token=self.session_csrf_secret_token())) perm_none = Permission.get_by_key('hg.create.none') perm_create = Permission.get_by_key('hg.create.repository') @@ -351,7 +351,7 @@ class TestAdminUsersController(TestContr response = self.app.post(url('edit_user_perms_update', id=uid), params=dict(create_repo_perm=True, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) perm_none = Permission.get_by_key('hg.create.none') perm_create = Permission.get_by_key('hg.create.repository') @@ -380,7 +380,7 @@ class TestAdminUsersController(TestContr assert UserModel().has_perm(user, perm_fork) == False response = self.app.post(url('edit_user_perms_update', id=uid), - params=dict(_authentication_token=self.authentication_token())) + params=dict(_session_csrf_secret_token=self.session_csrf_secret_token())) perm_none = Permission.get_by_key('hg.create.none') perm_create = Permission.get_by_key('hg.create.repository') @@ -412,7 +412,7 @@ class TestAdminUsersController(TestContr user_id = user.user_id response = self.app.post(url('edit_user_ips_update', id=user_id), - params=dict(new_ip=ip, _authentication_token=self.authentication_token())) + params=dict(new_ip=ip, _session_csrf_secret_token=self.session_csrf_secret_token())) if failure: self.checkSessionFlash(response, 'Please enter a valid IPv4 or IPv6 address') @@ -441,7 +441,7 @@ class TestAdminUsersController(TestContr response.mustcontain(ip_range) self.app.post(url('edit_user_ips_delete', id=user_id), - params=dict(del_ip_id=new_ip_id, _authentication_token=self.authentication_token())) + params=dict(del_ip_id=new_ip_id, _session_csrf_secret_token=self.session_csrf_secret_token())) response = self.app.get(url('edit_user_ips', id=user_id)) response.mustcontain('All IP addresses are allowed') @@ -467,7 +467,7 @@ class TestAdminUsersController(TestContr user_id = user.user_id response = self.app.post(url('edit_user_api_keys_update', id=user_id), - {'description': desc, 'lifetime': lifetime, '_authentication_token': self.authentication_token()}) + {'description': desc, 'lifetime': lifetime, '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'API key successfully created') try: response = response.follow() @@ -485,7 +485,7 @@ class TestAdminUsersController(TestContr user_id = user.user_id response = self.app.post(url('edit_user_api_keys_update', id=user_id), - {'description': 'desc', 'lifetime': -1, '_authentication_token': self.authentication_token()}) + {'description': 'desc', 'lifetime': -1, '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'API key successfully created') response = response.follow() @@ -494,7 +494,7 @@ class TestAdminUsersController(TestContr assert 1 == len(keys) response = self.app.post(url('edit_user_api_keys_delete', id=user_id), - {'del_api_key': keys[0].api_key, '_authentication_token': self.authentication_token()}) + {'del_api_key': keys[0].api_key, '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'API key successfully deleted') keys = UserApiKeys.query().filter(UserApiKeys.user_id == user_id).all() assert 0 == len(keys) @@ -509,7 +509,7 @@ class TestAdminUsersController(TestContr response.mustcontain('Expires: Never') response = self.app.post(url('edit_user_api_keys_delete', id=user_id), - {'del_api_key_builtin': api_key, '_authentication_token': self.authentication_token()}) + {'del_api_key_builtin': api_key, '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'API key successfully reset') response = response.follow() response.mustcontain(no=[api_key]) @@ -526,7 +526,7 @@ class TestAdminUsersController(TestContr response = self.app.post(url('edit_user_ssh_keys', id=user_id), {'description': description, 'public_key': public_key, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'SSH key %s successfully added' % fingerprint) response = response.follow() @@ -549,7 +549,7 @@ class TestAdminUsersController(TestContr response = self.app.post(url('edit_user_ssh_keys', id=user_id), {'description': description, 'public_key': public_key, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'SSH key %s successfully added' % fingerprint) response.follow() ssh_key = UserSshKeys.query().filter(UserSshKeys.user_id == user_id).one() @@ -557,7 +557,7 @@ class TestAdminUsersController(TestContr response = self.app.post(url('edit_user_ssh_keys_delete', id=user_id), {'del_public_key': ssh_key.public_key, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'SSH key successfully deleted') keys = UserSshKeys.query().all() assert 0 == len(keys) @@ -606,13 +606,13 @@ class TestAdminUsersControllerForDefault self.log_user() user = User.get_default_user() response = self.app.post(url('edit_user_api_keys_update', id=user.user_id), - {'_authentication_token': self.authentication_token()}, status=404) + {'_session_csrf_secret_token': self.session_csrf_secret_token()}, status=404) def test_delete_api_keys_default_user(self): self.log_user() user = User.get_default_user() response = self.app.post(url('edit_user_api_keys_delete', id=user.user_id), - {'_authentication_token': self.authentication_token()}, status=404) + {'_session_csrf_secret_token': self.session_csrf_secret_token()}, status=404) # Permissions def test_edit_perms_default_user(self): @@ -624,7 +624,7 @@ class TestAdminUsersControllerForDefault self.log_user() user = User.get_default_user() response = self.app.post(url('edit_user_perms_update', id=user.user_id), - {'_authentication_token': self.authentication_token()}, status=404) + {'_session_csrf_secret_token': self.session_csrf_secret_token()}, status=404) # Emails def test_edit_emails_default_user(self): @@ -636,13 +636,13 @@ class TestAdminUsersControllerForDefault self.log_user() user = User.get_default_user() response = self.app.post(url('edit_user_emails_update', id=user.user_id), - {'_authentication_token': self.authentication_token()}, status=404) + {'_session_csrf_secret_token': self.session_csrf_secret_token()}, status=404) def test_delete_emails_default_user(self): self.log_user() user = User.get_default_user() response = self.app.post(url('edit_user_emails_delete', id=user.user_id), - {'_authentication_token': self.authentication_token()}, status=404) + {'_session_csrf_secret_token': self.session_csrf_secret_token()}, status=404) # IP addresses # Add/delete of IP addresses for the default user is used to maintain diff --git a/kallithea/tests/functional/test_changeset_pullrequests_comments.py b/kallithea/tests/functional/test_changeset_pullrequests_comments.py --- a/kallithea/tests/functional/test_changeset_pullrequests_comments.py +++ b/kallithea/tests/functional/test_changeset_pullrequests_comments.py @@ -18,7 +18,7 @@ class TestChangeSetCommentsController(Te rev = '27cd5cce30c96924232dffcd24178a07ffeb5dfc' text = u'general comment on changeset' - params = {'text': text, '_authentication_token': self.authentication_token()} + params = {'text': text, '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='changeset', action='comment', repo_name=HG_REPO, revision=rev), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -43,7 +43,7 @@ class TestChangeSetCommentsController(Te f_path = 'vcs/web/simplevcs/views/repository.py' line = 'n1' - params = {'text': text, 'f_path': f_path, 'line': line, '_authentication_token': self.authentication_token()} + params = {'text': text, 'f_path': f_path, 'line': line, '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='changeset', action='comment', repo_name=HG_REPO, revision=rev), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -72,7 +72,7 @@ class TestChangeSetCommentsController(Te rev = '27cd5cce30c96924232dffcd24178a07ffeb5dfc' text = u'@%s check CommentOnRevision' % TEST_USER_REGULAR_LOGIN - params = {'text': text, '_authentication_token': self.authentication_token()} + params = {'text': text, '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='changeset', action='comment', repo_name=HG_REPO, revision=rev), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -96,7 +96,7 @@ class TestChangeSetCommentsController(Te text = u'general comment on changeset' params = {'text': text, 'changeset_status': 'rejected', - '_authentication_token': self.authentication_token()} + '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='changeset', action='comment', repo_name=HG_REPO, revision=rev), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -123,7 +123,7 @@ class TestChangeSetCommentsController(Te rev = '27cd5cce30c96924232dffcd24178a07ffeb5dfc' text = u'general comment on changeset to be deleted' - params = {'text': text, '_authentication_token': self.authentication_token()} + params = {'text': text, '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='changeset', action='comment', repo_name=HG_REPO, revision=rev), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -135,7 +135,7 @@ class TestChangeSetCommentsController(Te self.app.post(url("changeset_comment_delete", repo_name=HG_REPO, comment_id=comment_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) comments = ChangesetComment.query().all() assert len(comments) == 0 @@ -165,7 +165,7 @@ class TestPullrequestsCommentsController 'other_ref': 'branch:default:96507bd11ecc815ebc6270fdf6db110928c09c1e', 'pullrequest_title': 'title', 'pullrequest_desc': 'description', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) pr_id = int(re.search('/pull-request/(\d+)/', response.location).group(1)) @@ -176,7 +176,7 @@ class TestPullrequestsCommentsController pr_id = self._create_pr() text = u'general comment on pullrequest' - params = {'text': text, '_authentication_token': self.authentication_token()} + params = {'text': text, '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='pullrequests', action='comment', repo_name=HG_REPO, pull_request_id=pr_id), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -204,7 +204,7 @@ class TestPullrequestsCommentsController text = u'inline comment on changeset' f_path = 'vcs/web/simplevcs/views/repository.py' line = 'n1' - params = {'text': text, 'f_path': f_path, 'line': line, '_authentication_token': self.authentication_token()} + params = {'text': text, 'f_path': f_path, 'line': line, '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='pullrequests', action='comment', repo_name=HG_REPO, pull_request_id=pr_id), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -232,7 +232,7 @@ class TestPullrequestsCommentsController pr_id = self._create_pr() text = u'@%s check CommentOnRevision' % TEST_USER_REGULAR_LOGIN - params = {'text': text, '_authentication_token': self.authentication_token()} + params = {'text': text, '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='pullrequests', action='comment', repo_name=HG_REPO, pull_request_id=pr_id), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -256,7 +256,7 @@ class TestPullrequestsCommentsController text = u'general comment on pullrequest' params = {'text': text, 'changeset_status': 'rejected', - '_authentication_token': self.authentication_token()} + '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='pullrequests', action='comment', repo_name=HG_REPO, pull_request_id=pr_id), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -286,7 +286,7 @@ class TestPullrequestsCommentsController pr_id = self._create_pr() text = u'general comment on changeset to be deleted' - params = {'text': text, '_authentication_token': self.authentication_token()} + params = {'text': text, '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='pullrequests', action='comment', repo_name=HG_REPO, pull_request_id=pr_id), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -298,7 +298,7 @@ class TestPullrequestsCommentsController self.app.post(url("pullrequest_comment_delete", repo_name=HG_REPO, comment_id=comment_id), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) comments = ChangesetComment.query().all() assert len(comments) == 1 @@ -317,7 +317,7 @@ class TestPullrequestsCommentsController text = u'general comment on pullrequest' params = {'text': text, 'save_close': 'close', - '_authentication_token': self.authentication_token()} + '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='pullrequests', action='comment', repo_name=HG_REPO, pull_request_id=pr_id), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -340,7 +340,7 @@ class TestPullrequestsCommentsController text = u'general comment on pullrequest' params = {'text': text, 'save_delete': 'delete', - '_authentication_token': self.authentication_token()} + '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='pullrequests', action='comment', repo_name=HG_REPO, pull_request_id=pr_id), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -360,7 +360,7 @@ class TestPullrequestsCommentsController # first close text = u'general comment on pullrequest' params = {'text': text, 'save_close': 'close', - '_authentication_token': self.authentication_token()} + '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='pullrequests', action='comment', repo_name=HG_REPO, pull_request_id=pr_id), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}) @@ -368,7 +368,7 @@ class TestPullrequestsCommentsController # attempt delete, should fail params = {'text': text, 'save_delete': 'delete', - '_authentication_token': self.authentication_token()} + '_session_csrf_secret_token': self.session_csrf_secret_token()} response = self.app.post(url(controller='pullrequests', action='comment', repo_name=HG_REPO, pull_request_id=pr_id), params=params, extra_environ={'HTTP_X_PARTIAL_XHR': '1'}, status=403) diff --git a/kallithea/tests/functional/test_files.py b/kallithea/tests/functional/test_files.py --- a/kallithea/tests/functional/test_files.py +++ b/kallithea/tests/functional/test_files.py @@ -333,7 +333,7 @@ class TestFilesController(TestController revision='tip', f_path='/'), params={ 'content': '', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) @@ -346,7 +346,7 @@ class TestFilesController(TestController revision='tip', f_path='/'), params={ 'content': "foo", - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) @@ -366,7 +366,7 @@ class TestFilesController(TestController 'content': "foo", 'filename': filename, 'location': location, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) @@ -387,7 +387,7 @@ class TestFilesController(TestController 'content': "foo", 'filename': filename, 'location': location, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) try: @@ -410,7 +410,7 @@ class TestFilesController(TestController revision='tip', f_path='/'), params={ 'content': '', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) self.checkSessionFlash(response, 'No content') @@ -422,7 +422,7 @@ class TestFilesController(TestController revision='tip', f_path='/'), params={ 'content': "foo", - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) @@ -442,7 +442,7 @@ class TestFilesController(TestController 'content': "foo", 'filename': filename, 'location': location, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) @@ -463,7 +463,7 @@ class TestFilesController(TestController 'content': "foo", 'filename': filename, 'location': location, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) try: @@ -493,7 +493,7 @@ class TestFilesController(TestController 'content': "def py():\n print 'hello'\n", 'filename': filename, 'location': location, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) response.follow() @@ -524,7 +524,7 @@ class TestFilesController(TestController 'content': "def py():\n print 'hello'\n", 'filename': filename, 'location': location, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) response.follow() @@ -538,7 +538,7 @@ class TestFilesController(TestController params={ 'content': "def py():\n print 'hello world'\n", 'message': 'i committed', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) self.checkSessionFlash(response, 'Successfully committed to %s' @@ -567,7 +567,7 @@ class TestFilesController(TestController 'content': "def py():\n print 'hello'\n", 'filename': filename, 'location': location, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) response.follow() @@ -598,7 +598,7 @@ class TestFilesController(TestController 'content': "def py():\n print 'hello'\n", 'filename': filename, 'location': location, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) response.follow() @@ -612,7 +612,7 @@ class TestFilesController(TestController params={ 'content': "def py():\n print 'hello world'\n", 'message': 'i committed', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) self.checkSessionFlash(response, 'Successfully committed to %s' @@ -641,7 +641,7 @@ class TestFilesController(TestController 'content': "def py():\n print 'hello'\n", 'filename': filename, 'location': location, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) response.follow() @@ -672,7 +672,7 @@ class TestFilesController(TestController 'content': "def py():\n print 'hello'\n", 'filename': filename, 'location': location, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) response.follow() @@ -685,7 +685,7 @@ class TestFilesController(TestController f_path=posixpath.join(location, filename)), params={ 'message': 'i committed', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) self.checkSessionFlash(response, @@ -714,7 +714,7 @@ class TestFilesController(TestController 'content': "def py():\n print 'hello'\n", 'filename': filename, 'location': location, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) response.follow() @@ -745,7 +745,7 @@ class TestFilesController(TestController 'content': "def py():\n print 'hello'\n", 'filename': filename, 'location': location, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) response.follow() @@ -758,7 +758,7 @@ class TestFilesController(TestController f_path=posixpath.join(location, filename)), params={ 'message': 'i committed', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) self.checkSessionFlash(response, diff --git a/kallithea/tests/functional/test_forks.py b/kallithea/tests/functional/test_forks.py --- a/kallithea/tests/functional/test_forks.py +++ b/kallithea/tests/functional/test_forks.py @@ -54,7 +54,7 @@ class _BaseTestCase(TestController): # try create a fork repo_name = self.REPO self.app.post(url(controller='forks', action='fork_create', - repo_name=repo_name), {'_authentication_token': self.authentication_token()}, status=403) + repo_name=repo_name), {'_session_csrf_secret_token': self.session_csrf_secret_token()}, status=403) finally: usr = User.get_default_user() user_model.revoke_perm(usr, 'hg.fork.none') @@ -77,7 +77,7 @@ class _BaseTestCase(TestController): 'description': description, 'private': 'False', 'landing_rev': 'rev:tip', - '_authentication_token': self.authentication_token()} + '_session_csrf_secret_token': self.session_csrf_secret_token()} self.app.post(url(controller='forks', action='fork_create', repo_name=repo_name), creation_args) @@ -91,7 +91,7 @@ class _BaseTestCase(TestController): # remove this fork response = self.app.post(url('delete_repo', repo_name=fork_name), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) def test_fork_create_into_group(self): self.log_user() @@ -110,7 +110,7 @@ class _BaseTestCase(TestController): 'description': description, 'private': 'False', 'landing_rev': 'rev:tip', - '_authentication_token': self.authentication_token()} + '_session_csrf_secret_token': self.session_csrf_secret_token()} self.app.post(url(controller='forks', action='fork_create', repo_name=repo_name), creation_args) repo = Repository.get_by_repo_name(fork_name_full) @@ -154,7 +154,7 @@ class _BaseTestCase(TestController): 'description': 'unicode repo 1', 'private': 'False', 'landing_rev': 'rev:tip', - '_authentication_token': self.authentication_token()} + '_session_csrf_secret_token': self.session_csrf_secret_token()} self.app.post(url(controller='forks', action='fork_create', repo_name=repo_name), creation_args) response = self.app.get(url(controller='forks', action='forks', @@ -175,7 +175,7 @@ class _BaseTestCase(TestController): 'description': 'unicode repo 2', 'private': 'False', 'landing_rev': 'rev:tip', - '_authentication_token': self.authentication_token()} + '_session_csrf_secret_token': self.session_csrf_secret_token()} self.app.post(url(controller='forks', action='fork_create', repo_name=fork_name), creation_args) response = self.app.get(url(controller='forks', action='forks', @@ -186,9 +186,9 @@ class _BaseTestCase(TestController): # remove these forks response = self.app.post(url('delete_repo', repo_name=fork_name_2), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) response = self.app.post(url('delete_repo', repo_name=fork_name), - params={'_authentication_token': self.authentication_token()}) + params={'_session_csrf_secret_token': self.session_csrf_secret_token()}) def test_fork_create_and_permissions(self): self.log_user() @@ -204,7 +204,7 @@ class _BaseTestCase(TestController): 'description': description, 'private': 'False', 'landing_rev': 'rev:tip', - '_authentication_token': self.authentication_token()} + '_session_csrf_secret_token': self.session_csrf_secret_token()} self.app.post(url(controller='forks', action='fork_create', repo_name=repo_name), creation_args) repo = Repository.get_by_repo_name(self.REPO_FORK) diff --git a/kallithea/tests/functional/test_login.py b/kallithea/tests/functional/test_login.py --- a/kallithea/tests/functional/test_login.py +++ b/kallithea/tests/functional/test_login.py @@ -32,7 +32,7 @@ class TestLoginController(TestController response = self.app.post(url(controller='login', action='index'), {'username': TEST_USER_ADMIN_LOGIN, 'password': TEST_USER_ADMIN_PASS, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) assert response.status == '302 Found' self.assert_authenticated_user(response, TEST_USER_ADMIN_LOGIN) @@ -43,7 +43,7 @@ class TestLoginController(TestController response = self.app.post(url(controller='login', action='index'), {'username': TEST_USER_REGULAR_LOGIN, 'password': TEST_USER_REGULAR_PASS, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) assert response.status == '302 Found' self.assert_authenticated_user(response, TEST_USER_REGULAR_LOGIN) @@ -55,7 +55,7 @@ class TestLoginController(TestController response = self.app.post(url(controller='login', action='index'), {'username': TEST_USER_REGULAR_EMAIL, 'password': TEST_USER_REGULAR_PASS, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) assert response.status == '302 Found' self.assert_authenticated_user(response, TEST_USER_REGULAR_LOGIN) @@ -69,7 +69,7 @@ class TestLoginController(TestController came_from=test_came_from), {'username': TEST_USER_ADMIN_LOGIN, 'password': TEST_USER_ADMIN_PASS, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) assert response.status == '302 Found' response = response.follow() @@ -81,7 +81,7 @@ class TestLoginController(TestController {'username': TEST_USER_REGULAR_LOGIN, 'password': TEST_USER_REGULAR_PASS, 'remember': False, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) assert 'Set-Cookie' in response.headers for cookie in response.headers.getall('Set-Cookie'): @@ -92,7 +92,7 @@ class TestLoginController(TestController {'username': TEST_USER_REGULAR_LOGIN, 'password': TEST_USER_REGULAR_PASS, 'remember': True, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) assert 'Set-Cookie' in response.headers for cookie in response.headers.getall('Set-Cookie'): @@ -102,7 +102,7 @@ class TestLoginController(TestController response = self.app.post(url(controller='login', action='index'), {'username': TEST_USER_REGULAR_LOGIN, 'password': TEST_USER_REGULAR_PASS, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) # Verify that a login session has been established. response = self.app.get(url(controller='login', action='index')) @@ -131,14 +131,14 @@ class TestLoginController(TestController came_from=url_came_from), {'username': TEST_USER_ADMIN_LOGIN, 'password': TEST_USER_ADMIN_PASS, - '_authentication_token': self.authentication_token()}, + '_session_csrf_secret_token': self.session_csrf_secret_token()}, status=400) def test_login_short_password(self): response = self.app.post(url(controller='login', action='index'), {'username': TEST_USER_ADMIN_LOGIN, 'password': 'as', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) assert response.status == '200 OK' response.mustcontain('Enter 3 characters or more') @@ -147,7 +147,7 @@ class TestLoginController(TestController response = self.app.post(url(controller='login', action='index'), {'username': 'error', 'password': 'test12', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.mustcontain('Invalid username or password') @@ -155,7 +155,7 @@ class TestLoginController(TestController response = self.app.post(url(controller='login', action='index'), {'username': TEST_USER_REGULAR_LOGIN, 'password': 'blåbærgrød', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.mustcontain('>Invalid username or password<') @@ -199,7 +199,7 @@ class TestLoginController(TestController came_from=url('/_admin/users', **args)), {'username': TEST_USER_ADMIN_LOGIN, 'password': TEST_USER_ADMIN_PASS, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) assert response.status == '302 Found' for encoded in args_encoded: assert encoded in response.location @@ -214,7 +214,7 @@ class TestLoginController(TestController came_from=url('/_admin/users', **args)), {'username': 'error', 'password': 'test12', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.mustcontain('Invalid username or password') came_from = urlparse.parse_qs(urlparse.urlparse(response.form.action).query)['came_from'][0] @@ -237,7 +237,7 @@ class TestLoginController(TestController 'email': 'goodmail@example.com', 'firstname': 'test', 'lastname': 'test', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) with test_context(self.app): msg = validators.ValidUsername()._messages['username_exists'] @@ -252,7 +252,7 @@ class TestLoginController(TestController 'email': TEST_USER_ADMIN_EMAIL, 'firstname': 'test', 'lastname': 'test', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) with test_context(self.app): msg = validators.UniqSystemEmail()()._messages['email_taken'] @@ -266,7 +266,7 @@ class TestLoginController(TestController 'email': TEST_USER_ADMIN_EMAIL.title(), 'firstname': 'test', 'lastname': 'test', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) with test_context(self.app): msg = validators.UniqSystemEmail()()._messages['email_taken'] response.mustcontain(msg) @@ -279,7 +279,7 @@ class TestLoginController(TestController 'email': 'goodmailm', 'firstname': 'test', 'lastname': 'test', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) assert response.status == '200 OK' response.mustcontain('An email address must contain a single @') response.mustcontain('Enter a value 6 characters long or more') @@ -292,7 +292,7 @@ class TestLoginController(TestController 'email': 'goodmailm', 'firstname': 'test', 'lastname': 'test', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.mustcontain('An email address must contain a single @') response.mustcontain('Username may only contain ' @@ -309,7 +309,7 @@ class TestLoginController(TestController 'email': 'goodmailm', 'firstname': 'test', 'lastname': 'test', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.mustcontain('An email address must contain a single @') with test_context(self.app): @@ -325,7 +325,7 @@ class TestLoginController(TestController 'email': 'goodmailm@test.plx', 'firstname': 'test', 'lastname': 'test', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) with test_context(self.app): msg = validators.ValidPassword()._messages['invalid_password'] @@ -339,7 +339,7 @@ class TestLoginController(TestController 'email': 'goodmailm@test.plxa', 'firstname': 'test', 'lastname': 'test', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) with test_context(self.app): msg = validators.ValidPasswordsMatch('password', 'password_confirmation')._messages['password_mismatch'] response.mustcontain(msg) @@ -359,7 +359,7 @@ class TestLoginController(TestController 'firstname': name, 'lastname': lastname, 'admin': True, - '_authentication_token': self.authentication_token()}) # This should be overridden + '_session_csrf_secret_token': self.session_csrf_secret_token()}) # This should be overridden assert response.status == '302 Found' self.checkSessionFlash(response, 'You have successfully registered with Kallithea') @@ -381,7 +381,7 @@ class TestLoginController(TestController response = self.app.post( url(controller='login', action='password_reset'), {'email': bad_email, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.mustcontain('An email address must contain a single @') @@ -410,7 +410,7 @@ class TestLoginController(TestController response = self.app.post(url(controller='login', action='password_reset'), {'email': email, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'A password reset confirmation code has been sent') @@ -427,7 +427,7 @@ class TestLoginController(TestController 'password': "p@ssw0rd", 'password_confirm': "p@ssw0rd", 'token': token, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }) assert response.status == '200 OK' response.mustcontain('Invalid password reset token') @@ -438,7 +438,7 @@ class TestLoginController(TestController # above, instead of being recalculated. token = UserModel().get_reset_password_token( - User.get_by_username(username), timestamp, self.authentication_token()) + User.get_by_username(username), timestamp, self.session_csrf_secret_token()) response = self.app.get(url(controller='login', action='password_reset_confirmation', @@ -455,7 +455,7 @@ class TestLoginController(TestController 'password': "p@ssw0rd", 'password_confirm': "p@ssw0rd", 'token': token, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }) assert response.status == '302 Found' self.checkSessionFlash(response, 'Successfully updated password') diff --git a/kallithea/tests/functional/test_my_account.py b/kallithea/tests/functional/test_my_account.py --- a/kallithea/tests/functional/test_my_account.py +++ b/kallithea/tests/functional/test_my_account.py @@ -54,7 +54,7 @@ class TestMyAccountController(TestContro response = self.app.get(url('my_account_emails')) response.mustcontain('No additional emails specified') response = self.app.post(url('my_account_emails'), - {'new_email': TEST_USER_REGULAR_EMAIL, '_authentication_token': self.authentication_token()}) + {'new_email': TEST_USER_REGULAR_EMAIL, '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'This email address is already in use') def test_my_account_my_emails_add_missing_email_in_form(self): @@ -62,7 +62,7 @@ class TestMyAccountController(TestContro response = self.app.get(url('my_account_emails')) response.mustcontain('No additional emails specified') response = self.app.post(url('my_account_emails'), - {'_authentication_token': self.authentication_token()}) + {'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Please enter an email address') def test_my_account_my_emails_add_remove(self): @@ -71,7 +71,7 @@ class TestMyAccountController(TestContro response.mustcontain('No additional emails specified') response = self.app.post(url('my_account_emails'), - {'new_email': 'barz@example.com', '_authentication_token': self.authentication_token()}) + {'new_email': 'barz@example.com', '_session_csrf_secret_token': self.session_csrf_secret_token()}) response = self.app.get(url('my_account_emails')) @@ -84,7 +84,7 @@ class TestMyAccountController(TestContro response.mustcontain('' % email_id) response = self.app.post(url('my_account_emails_delete'), - {'del_email_id': email_id, '_authentication_token': self.authentication_token()}) + {'del_email_id': email_id, '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Removed email from user') response = self.app.get(url('my_account_emails')) response.mustcontain('No additional emails specified') @@ -119,7 +119,7 @@ class TestMyAccountController(TestContro params.update({'new_password': ''}) params.update({'extern_type': 'internal'}) params.update({'extern_name': self.test_user_1}) - params.update({'_authentication_token': self.authentication_token()}) + params.update({'_session_csrf_secret_token': self.session_csrf_secret_token()}) params.update(attrs) response = self.app.post(url('my_account'), params) @@ -148,7 +148,7 @@ class TestMyAccountController(TestContro # my account cannot make you an admin ! params['admin'] = False - params.pop('_authentication_token') + params.pop('_session_csrf_secret_token') assert params == updated_params def test_my_account_update_err_email_exists(self): @@ -163,7 +163,7 @@ class TestMyAccountController(TestContro firstname=u'NewName', lastname=u'NewLastname', email=new_email, - _authentication_token=self.authentication_token()) + _session_csrf_secret_token=self.session_csrf_secret_token()) ) response.mustcontain('This email address is already in use') @@ -180,7 +180,7 @@ class TestMyAccountController(TestContro firstname=u'NewName', lastname=u'NewLastname', email=new_email, - _authentication_token=self.authentication_token())) + _session_csrf_secret_token=self.session_csrf_secret_token())) response.mustcontain('An email address must contain a single @') from kallithea.model import validators @@ -206,7 +206,7 @@ class TestMyAccountController(TestContro usr = self.log_user(TEST_USER_REGULAR2_LOGIN, TEST_USER_REGULAR2_PASS) user = User.get(usr['user_id']) response = self.app.post(url('my_account_api_keys'), - {'description': desc, 'lifetime': lifetime, '_authentication_token': self.authentication_token()}) + {'description': desc, 'lifetime': lifetime, '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'API key successfully created') try: response = response.follow() @@ -222,7 +222,7 @@ class TestMyAccountController(TestContro usr = self.log_user(TEST_USER_REGULAR2_LOGIN, TEST_USER_REGULAR2_PASS) user = User.get(usr['user_id']) response = self.app.post(url('my_account_api_keys'), - {'description': 'desc', 'lifetime': -1, '_authentication_token': self.authentication_token()}) + {'description': 'desc', 'lifetime': -1, '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'API key successfully created') response = response.follow() @@ -231,7 +231,7 @@ class TestMyAccountController(TestContro assert 1 == len(keys) response = self.app.post(url('my_account_api_keys_delete'), - {'del_api_key': keys[0].api_key, '_authentication_token': self.authentication_token()}) + {'del_api_key': keys[0].api_key, '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'API key successfully deleted') keys = UserApiKeys.query().all() assert 0 == len(keys) @@ -245,7 +245,7 @@ class TestMyAccountController(TestContro response.mustcontain('Expires: Never') response = self.app.post(url('my_account_api_keys_delete'), - {'del_api_key_builtin': api_key, '_authentication_token': self.authentication_token()}) + {'del_api_key_builtin': api_key, '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'API key successfully reset') response = response.follow() response.mustcontain(no=[api_key]) @@ -259,7 +259,7 @@ class TestMyAccountController(TestContro response = self.app.post(url('my_account_ssh_keys'), {'description': description, 'public_key': public_key, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'SSH key %s successfully added' % fingerprint) response = response.follow() @@ -280,7 +280,7 @@ class TestMyAccountController(TestContro response = self.app.post(url('my_account_ssh_keys'), {'description': description, 'public_key': public_key, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'SSH key %s successfully added' % fingerprint) response.follow() user_id = response.session['authuser']['user_id'] @@ -289,7 +289,7 @@ class TestMyAccountController(TestContro response = self.app.post(url('my_account_ssh_keys_delete'), {'del_public_key': ssh_key.public_key, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'SSH key successfully deleted') keys = UserSshKeys.query().all() assert 0 == len(keys) diff --git a/kallithea/tests/functional/test_pullrequests.py b/kallithea/tests/functional/test_pullrequests.py --- a/kallithea/tests/functional/test_pullrequests.py +++ b/kallithea/tests/functional/test_pullrequests.py @@ -30,7 +30,7 @@ class TestPullrequestsController(TestCon 'other_ref': 'branch:default:96507bd11ecc815ebc6270fdf6db110928c09c1e', 'pullrequest_title': 'title', 'pullrequest_desc': 'description', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) response = response.follow() @@ -49,7 +49,7 @@ class TestPullrequestsController(TestCon 'other_ref': 'branch:default:96507bd11ecc815ebc6270fdf6db110928c09c1e', 'pullrequest_title': 'title', 'pullrequest_desc': 'description', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) response = response.follow() @@ -69,7 +69,7 @@ class TestPullrequestsController(TestCon 'other_ref': 'rev:94f45ed825a1:94f45ed825a113e61af7e141f44ca578374abef0', 'pullrequest_title': 'title', 'pullrequest_desc': 'description', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) response = response.follow() @@ -92,7 +92,7 @@ class TestPullrequestsController(TestCon 'other_ref': 'branch:default:96507bd11ecc815ebc6270fdf6db110928c09c1e', 'pullrequest_title': 'title', 'pullrequest_desc': 'description', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) pull_request1_id = re.search('/pull-request/(\d+)/', response.location).group(1) @@ -106,7 +106,7 @@ class TestPullrequestsController(TestCon 'pullrequest_title': 'title', 'pullrequest_desc': 'description', 'owner': TEST_USER_ADMIN_LOGIN, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), 'review_members': [regular_user.user_id], }, status=302) @@ -124,7 +124,7 @@ class TestPullrequestsController(TestCon 'pullrequest_title': 'Title', 'pullrequest_desc': 'description', 'owner': TEST_USER_ADMIN_LOGIN, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), 'org_review_members': [admin_user.user_id], # fake - just to get some 'meanwhile' warning ... but it is also added ... 'review_members': [regular_user2.user_id, admin_user.user_id], }, @@ -151,7 +151,7 @@ class TestPullrequestsController(TestCon 'other_ref': 'branch:default:96507bd11ecc815ebc6270fdf6db110928c09c1e', 'pullrequest_title': 'title', 'pullrequest_desc': 'description', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) # location is of the form: @@ -168,7 +168,7 @@ class TestPullrequestsController(TestCon 'pullrequest_title': 'title', 'pullrequest_desc': 'description', 'owner': TEST_USER_ADMIN_LOGIN, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), 'review_members': [str(invalid_user_id)], }, status=400) @@ -187,7 +187,7 @@ class TestPullrequestsController(TestCon 'other_ref': 'branch:default:96507bd11ecc815ebc6270fdf6db110928c09c1e', 'pullrequest_title': 'title', 'pullrequest_desc': 'description', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) # location is of the form: @@ -203,7 +203,7 @@ class TestPullrequestsController(TestCon 'pullrequest_title': 'title', 'pullrequest_desc': 'description', 'owner': TEST_USER_ADMIN_LOGIN, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), 'review_members': [str(invalid_user_id)], }, status=400) @@ -235,7 +235,7 @@ class TestPullrequestsController(TestCon 'other_ref': 'branch:default:3d1091ee5a533b1f4577ec7d8a226bb315fb1336', 'pullrequest_title': 'title', 'pullrequest_desc': 'description', - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) pr1_id = int(re.search('/pull-request/(\d+)/', response.location).group(1)) @@ -254,7 +254,7 @@ class TestPullrequestsController(TestCon 'pullrequest_title': 'title', 'pullrequest_desc': 'description', 'owner': TEST_USER_REGULAR_LOGIN, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) pr2_id = int(re.search('/pull-request/(\d+)/', response.location).group(1)) @@ -276,7 +276,7 @@ class TestPullrequestsController(TestCon 'pullrequest_title': 'title', 'pullrequest_desc': 'description', 'owner': TEST_USER_REGULAR_LOGIN, - '_authentication_token': self.authentication_token(), + '_session_csrf_secret_token': self.session_csrf_secret_token(), }, status=302) pr3_id = int(re.search('/pull-request/(\d+)/', response.location).group(1)) diff --git a/kallithea/tests/functional/test_repo_groups.py b/kallithea/tests/functional/test_repo_groups.py --- a/kallithea/tests/functional/test_repo_groups.py +++ b/kallithea/tests/functional/test_repo_groups.py @@ -20,7 +20,7 @@ class TestRepoGroupsController(TestContr # creation with form error response = self.app.post(url('repos_groups'), {'group_name': group_name, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.mustcontain('name="group_name" type="text" value="%s"' % group_name) response.mustcontain('') @@ -30,7 +30,7 @@ class TestRepoGroupsController(TestContr 'group_description': 'lala', 'parent_group_id': '-1', 'group_copy_permissions': 'True', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Created repository group %s' % group_name) # edit form @@ -40,7 +40,7 @@ class TestRepoGroupsController(TestContr # edit with form error response = self.app.post(url('update_repos_group', group_name=group_name), {'group_name': group_name, - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) response.mustcontain('name="group_name" type="text" value="%s"' % group_name) response.mustcontain('') @@ -48,7 +48,7 @@ class TestRepoGroupsController(TestContr response = self.app.post(url('update_repos_group', group_name=group_name), {'group_name': group_name, 'group_description': 'lolo', - '_authentication_token': self.authentication_token()}) + '_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Updated repository group %s' % group_name) response = response.follow() response.mustcontain('name="group_name" type="text" value="%s"' % group_name) @@ -69,7 +69,7 @@ class TestRepoGroupsController(TestContr # delete response = self.app.post(url('delete_repo_group', group_name=group_name), - {'_authentication_token': self.authentication_token()}) + {'_session_csrf_secret_token': self.session_csrf_secret_token()}) self.checkSessionFlash(response, 'Removed repository group %s' % group_name) def test_new_by_regular_user(self):