Skip to content

Commit

Permalink
fix block uploader tests
Browse files Browse the repository at this point in the history
  • Loading branch information
aspedrosa committed Jan 25, 2022
1 parent ed88b73 commit d91f65c
Show file tree
Hide file tree
Showing 4 changed files with 3 additions and 16 deletions.
2 changes: 0 additions & 2 deletions dashboard_viewer/dashboard_viewer/settings.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -337,7 +337,5 @@ def constance_updated(key, old_value, **_):
"Only include the hostname part of the URL."
)

X_FRAME_OPTIONS = f"ALLOW-FROM https://{MAIN_APPLICATION_HOST}/"

# required since django 3.2
DEFAULT_AUTO_FIELD = "django.db.models.AutoField"
3 changes: 3 additions & 0 deletions dashboard_viewer/uploader/decorators.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

from django.conf import settings
from django.http import HttpResponseForbidden
from django.views.decorators.clickjacking import xframe_options_exempt
from django.views.decorators.csrf import csrf_exempt


Expand All @@ -13,6 +14,8 @@ def uploader_decorator(view_func):
Else don't do any verification
"""
wrapped_view = csrf_exempt(view_func)
wrapped_view = xframe_options_exempt(wrapped_view)

if not settings.SINGLE_APPLICATION_MODE:

def check_host(request, *args, **kwargs):
Expand Down
10 changes: 0 additions & 10 deletions dashboard_viewer/uploader/tests.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,19 +46,11 @@ def test_not_block_if_correct_host(self):
response = self.client.get("/uploader/test/", HTTP_HOST="mainapp.host.com")

self.assertEqual(200, response.status_code)
self.assertTrue(response.has_header("X-Frame-Options"))
self.assertEqual(
"ALLOW-FROM HTTPS://MAINAPP.HOST.COM/", response["X-Frame-Options"]
)

def test_not_block_other_urls(self):
response = self.client.get("/admin/login/", HTTP_HOST="thisapp.host.com")

self.assertEqual(200, response.status_code)
self.assertTrue(response.has_header("X-Frame-Options"))
self.assertEqual(
"ALLOW-FROM HTTPS://MAINAPP.HOST.COM/", response["X-Frame-Options"]
)


class UploaderNonRestrictedAccess(TestCase):
Expand All @@ -74,8 +66,6 @@ def test_not_block_if_single_application(self):
response = self.client.get("/uploader/test/", HTTP_HOST="some.domain.com")

self.assertEqual(200, response.status_code)
if response.has_header("X-Frame-Options"):
self.assertNotIn("ALLOW-FROM ", response.get("X-Frame-Options"))


class DataSourceCreator:
Expand Down
4 changes: 0 additions & 4 deletions dashboard_viewer/uploader/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
from django.http import JsonResponse
from django.shortcuts import get_object_or_404, redirect, render
from django.utils.html import format_html, mark_safe
from django.views.decorators.clickjacking import xframe_options_exempt
from rest_framework.response import Response
from rest_framework.viewsets import GenericViewSet

Expand All @@ -20,7 +19,6 @@


@uploader_decorator
@xframe_options_exempt
def upload_achilles_results(request, *args, **kwargs):
data_source = kwargs.get("data_source")
try:
Expand Down Expand Up @@ -155,7 +153,6 @@ def _leave_valid_fields_values_only(request, initial, aux_form):


@uploader_decorator
@xframe_options_exempt
def create_data_source(request, *_, **kwargs):
data_source = kwargs.get("data_source")
if request.method == "GET":
Expand Down Expand Up @@ -237,7 +234,6 @@ def create_data_source(request, *_, **kwargs):


@uploader_decorator
@xframe_options_exempt
def edit_data_source(request, *_, **kwargs):
data_source = kwargs.get("data_source")
try:
Expand Down

0 comments on commit d91f65c

Please sign in to comment.