When client GETs instead of POSTs, return HTTP 400

2016-12-21 17:22:48 +02:00 · 2016-12-21 17:22:48 +02:00 · 5a533441b5
commit 5a533441b5
parent d9171adb1d
7 changed files with 48 additions and 6 deletions
--- a/hc/front/tests/test_add_check.py
+++ b/hc/front/tests/test_add_check.py
@ -19,3 +19,9 @@ class AddCheckTestCase(BaseTestCase):
        check = Check.objects.get()
        # Added by bob, but should belong to alice (bob has team access)
        self.assertEqual(check.user, self.alice)
+
+    def test_it_rejects_get(self):
+        url = "/checks/add/"
+        self.client.login(username="alice@example.org", password="password")
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 400)
--- a/hc/front/tests/test_pause.py
+++ b/hc/front/tests/test_pause.py
@ -18,3 +18,9 @@ class PauseTestCase(BaseTestCase):

        self.check.refresh_from_db()
        self.assertEqual(self.check.status, "paused")
+
+    def test_it_rejects_get(self):
+        url = "/checks/%s/pause/" % self.check.code
+        self.client.login(username="alice@example.org", password="password")
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 400)
--- a/hc/front/tests/test_remove_channel.py
+++ b/hc/front/tests/test_remove_channel.py
@ -47,3 +47,9 @@ class RemoveChannelTestCase(BaseTestCase):
        self.client.login(username="alice@example.org", password="password")
        r = self.client.post(url)
        assert r.status_code == 302
+
+    def test_it_rejects_get(self):
+        url = "/integrations/%s/remove/" % self.channel.code
+        self.client.login(username="alice@example.org", password="password")
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 400)
--- a/hc/front/tests/test_remove_check.py
+++ b/hc/front/tests/test_remove_check.py
@ -48,3 +48,9 @@ class RemoveCheckTestCase(BaseTestCase):
        self.client.login(username="alice@example.org", password="password")
        r = self.client.post(url)
        assert r.status_code == 404
+
+    def test_it_rejects_get(self):
+        url = "/checks/%s/remove/" % self.check.code
+        self.client.login(username="alice@example.org", password="password")
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 400)
--- a/hc/front/tests/test_update_name.py
+++ b/hc/front/tests/test_update_name.py
@ -66,3 +66,9 @@ class UpdateNameTestCase(BaseTestCase):

        check = Check.objects.get(id=self.check.id)
        self.assertEqual(check.tags, "foo bar baz")
+
+    def test_it_rejects_get(self):
+        url = "/checks/%s/name/" % self.check.code
+        self.client.login(username="alice@example.org", password="password")
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 400)
--- a/hc/front/tests/test_update_timeout.py
+++ b/hc/front/tests/test_update_timeout.py
@ -102,3 +102,9 @@ class UpdateTimeoutTestCase(BaseTestCase):
        self.client.login(username="charlie@example.org", password="password")
        r = self.client.post(url, data=payload)
        assert r.status_code == 403
+
+    def test_it_rejects_get(self):
+        url = "/checks/%s/timeout/" % self.check.code
+        self.client.login(username="alice@example.org", password="password")
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 400)
--- a/hc/front/views.py
+++ b/hc/front/views.py
@ -127,7 +127,8 @@ def about(request):

@login_required
 def add_check(request):
-    assert request.method == "POST"
+    if request.method != "POST":
+        return HttpResponseBadRequest()

    check = Check(user=request.team.user)
    check.save()
@ -140,7 +141,8 @@ def add_check(request):
@login_required
@uuid_or_400
 def update_name(request, code):
-    assert request.method == "POST"
+    if request.method != "POST":
+        return HttpResponseBadRequest()

    check = get_object_or_404(Check, code=code)
    if check.user_id != request.team.user.id:
@ -158,7 +160,8 @@ def update_name(request, code):
@login_required
@uuid_or_400
 def update_timeout(request, code):
-    assert request.method == "POST"
+    if request.method != "POST":
+        return HttpResponseBadRequest()

    check = get_object_or_404(Check, code=code)
    if check.user != request.team.user:
@ -183,7 +186,8 @@ def update_timeout(request, code):
@login_required
@uuid_or_400
 def pause(request, code):
-    assert request.method == "POST"
+    if request.method != "POST":
+        return HttpResponseBadRequest()

    check = get_object_or_404(Check, code=code)
    if check.user_id != request.team.user.id:
@ -198,7 +202,8 @@ def pause(request, code):
@login_required
@uuid_or_400
 def remove_check(request, code):
-    assert request.method == "POST"
+    if request.method != "POST":
+        return HttpResponseBadRequest()

    check = get_object_or_404(Check, code=code)
    if check.user != request.team.user:
@ -318,7 +323,8 @@ def verify_email(request, code, token):
@login_required
@uuid_or_400
 def remove_channel(request, code):
-    assert request.method == "POST"
+    if request.method != "POST":
+        return HttpResponseBadRequest()

    # user may refresh the page during POST and cause two deletion attempts
    channel = Channel.objects.filter(code=code).first()