diff --git a/hc/front/tests/test_add_check.py b/hc/front/tests/test_add_check.py index c792eddf..a0dc89ff 100644 --- a/hc/front/tests/test_add_check.py +++ b/hc/front/tests/test_add_check.py @@ -19,3 +19,9 @@ class AddCheckTestCase(BaseTestCase): check = Check.objects.get() # Added by bob, but should belong to alice (bob has team access) self.assertEqual(check.user, self.alice) + + def test_it_rejects_get(self): + url = "/checks/add/" + self.client.login(username="alice@example.org", password="password") + r = self.client.get(url) + self.assertEqual(r.status_code, 400) diff --git a/hc/front/tests/test_pause.py b/hc/front/tests/test_pause.py index 8a0c80d7..26d709f6 100644 --- a/hc/front/tests/test_pause.py +++ b/hc/front/tests/test_pause.py @@ -18,3 +18,9 @@ class PauseTestCase(BaseTestCase): self.check.refresh_from_db() self.assertEqual(self.check.status, "paused") + + def test_it_rejects_get(self): + url = "/checks/%s/pause/" % self.check.code + self.client.login(username="alice@example.org", password="password") + r = self.client.get(url) + self.assertEqual(r.status_code, 400) diff --git a/hc/front/tests/test_remove_channel.py b/hc/front/tests/test_remove_channel.py index 7f54a741..8cd8e311 100644 --- a/hc/front/tests/test_remove_channel.py +++ b/hc/front/tests/test_remove_channel.py @@ -47,3 +47,9 @@ class RemoveChannelTestCase(BaseTestCase): self.client.login(username="alice@example.org", password="password") r = self.client.post(url) assert r.status_code == 302 + + def test_it_rejects_get(self): + url = "/integrations/%s/remove/" % self.channel.code + self.client.login(username="alice@example.org", password="password") + r = self.client.get(url) + self.assertEqual(r.status_code, 400) diff --git a/hc/front/tests/test_remove_check.py b/hc/front/tests/test_remove_check.py index eca3c7d1..d2c09d32 100644 --- a/hc/front/tests/test_remove_check.py +++ b/hc/front/tests/test_remove_check.py @@ -48,3 +48,9 @@ class RemoveCheckTestCase(BaseTestCase): self.client.login(username="alice@example.org", password="password") r = self.client.post(url) assert r.status_code == 404 + + def test_it_rejects_get(self): + url = "/checks/%s/remove/" % self.check.code + self.client.login(username="alice@example.org", password="password") + r = self.client.get(url) + self.assertEqual(r.status_code, 400) diff --git a/hc/front/tests/test_update_name.py b/hc/front/tests/test_update_name.py index 2c2fef64..047db4b9 100644 --- a/hc/front/tests/test_update_name.py +++ b/hc/front/tests/test_update_name.py @@ -66,3 +66,9 @@ class UpdateNameTestCase(BaseTestCase): check = Check.objects.get(id=self.check.id) self.assertEqual(check.tags, "foo bar baz") + + def test_it_rejects_get(self): + url = "/checks/%s/name/" % self.check.code + self.client.login(username="alice@example.org", password="password") + r = self.client.get(url) + self.assertEqual(r.status_code, 400) diff --git a/hc/front/tests/test_update_timeout.py b/hc/front/tests/test_update_timeout.py index c0e12b76..ca2ba537 100644 --- a/hc/front/tests/test_update_timeout.py +++ b/hc/front/tests/test_update_timeout.py @@ -102,3 +102,9 @@ class UpdateTimeoutTestCase(BaseTestCase): self.client.login(username="charlie@example.org", password="password") r = self.client.post(url, data=payload) assert r.status_code == 403 + + def test_it_rejects_get(self): + url = "/checks/%s/timeout/" % self.check.code + self.client.login(username="alice@example.org", password="password") + r = self.client.get(url) + self.assertEqual(r.status_code, 400) diff --git a/hc/front/views.py b/hc/front/views.py index 86823174..50d6c52b 100644 --- a/hc/front/views.py +++ b/hc/front/views.py @@ -127,7 +127,8 @@ def about(request): @login_required def add_check(request): - assert request.method == "POST" + if request.method != "POST": + return HttpResponseBadRequest() check = Check(user=request.team.user) check.save() @@ -140,7 +141,8 @@ def add_check(request): @login_required @uuid_or_400 def update_name(request, code): - assert request.method == "POST" + if request.method != "POST": + return HttpResponseBadRequest() check = get_object_or_404(Check, code=code) if check.user_id != request.team.user.id: @@ -158,7 +160,8 @@ def update_name(request, code): @login_required @uuid_or_400 def update_timeout(request, code): - assert request.method == "POST" + if request.method != "POST": + return HttpResponseBadRequest() check = get_object_or_404(Check, code=code) if check.user != request.team.user: @@ -183,7 +186,8 @@ def update_timeout(request, code): @login_required @uuid_or_400 def pause(request, code): - assert request.method == "POST" + if request.method != "POST": + return HttpResponseBadRequest() check = get_object_or_404(Check, code=code) if check.user_id != request.team.user.id: @@ -198,7 +202,8 @@ def pause(request, code): @login_required @uuid_or_400 def remove_check(request, code): - assert request.method == "POST" + if request.method != "POST": + return HttpResponseBadRequest() check = get_object_or_404(Check, code=code) if check.user != request.team.user: @@ -318,7 +323,8 @@ def verify_email(request, code, token): @login_required @uuid_or_400 def remove_channel(request, code): - assert request.method == "POST" + if request.method != "POST": + return HttpResponseBadRequest() # user may refresh the page during POST and cause two deletion attempts channel = Channel.objects.filter(code=code).first()