changeset 2266:3318504c5dd5

create tickets as fn(time, pagename, action, secret) - so they are not reusable, add tests for tickets
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 01 Jul 2007 00:08:51 +0200
parents a607b0329922
children 463f3de3f981
files MoinMoin/_tests/test_wikiutil.py MoinMoin/wikiutil.py
diffstat 2 files changed, 37 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/_tests/test_wikiutil.py	Sat Jun 30 21:09:33 2007 +0200
+++ b/MoinMoin/_tests/test_wikiutil.py	Sun Jul 01 00:08:51 2007 +0200
@@ -32,6 +32,27 @@
             assert wikiutil.parseQueryString(wikiutil.makeQueryString(in_unicode, want_unicode=True), want_unicode=True) == in_unicode
             assert wikiutil.parseQueryString(wikiutil.makeQueryString(in_str, want_unicode=True), want_unicode=True) == in_unicode
 
+class TestTickets:
+    def testTickets(self):
+        from MoinMoin.Page import Page
+        # page name with double quotes
+        self.request.page = Page(self.request, u'bla"bla')
+        ticket1 = wikiutil.createTicket(self.request)
+        assert wikiutil.checkTicket(self.request, ticket1)
+        # page name with non-ASCII chars
+        self.request.page = Page(self.request, u'\xc4rger')
+        ticket2 = wikiutil.createTicket(self.request)
+        assert wikiutil.checkTicket(self.request, ticket2)
+        # same page with another action
+        self.request.page = Page(self.request, u'\xc4rger')
+        self.request.action = 'another'
+        ticket3 = wikiutil.createTicket(self.request)
+        assert wikiutil.checkTicket(self.request, ticket3)
+
+        assert ticket1 != ticket2
+        assert ticket2 != ticket3
+
+
 class TestSystemPagesGroup:
     def testSystemPagesGroupNotEmpty(self):
         assert self.request.dicts.members('SystemPagesGroup')
--- a/MoinMoin/wikiutil.py	Sat Jun 30 21:09:33 2007 +0200
+++ b/MoinMoin/wikiutil.py	Sun Jul 01 00:08:51 2007 +0200
@@ -1605,7 +1605,22 @@
 def createTicket(request, tm=None):
     """Create a ticket using a site-specific secret (the config)"""
     import sha
-    ticket = tm or "%010x" % time.time()
+    if tm is None:
+        tm = "%010x" % time.time()
+
+    # make the ticket specific to the page and action:
+    try:
+        pagename = quoteWikinameURL(request.page.page_name)
+    except:
+        pagename = 'None'
+
+    try:
+        action = request.action
+    except:
+        action = 'None'
+
+
+    ticket = "%s.%s.%s" % (tm, pagename, action)
     digest = sha.new()
     digest.update(ticket)