diff options
| author | Andrew Nester <anestor@sugarcrm.com> | 2016-10-25 14:23:14 +0300 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-11-01 07:18:06 -0400 |
| commit | acacf54fa1371b6254bd32af2cc3ca4fb3b4832c (patch) | |
| tree | 7357e18ce09883a97dea5ced7e34d25168cef18f /tests | |
| parent | 157607cb6c8c5de4dba1aada97b21597e0a966e0 (diff) | |
[1.10.x] Fixed #27363 -- Replaced unsafe redirect in SessionMiddleware with SuspiciousOperation.
Backport of 1ce04bcce0076360623ae164afd3541a5c031af2 from master
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/sessions_tests/tests.py | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py index 480eb72c8f..d84d925945 100644 --- a/tests/sessions_tests/tests.py +++ b/tests/sessions_tests/tests.py @@ -25,7 +25,7 @@ from django.contrib.sessions.serializers import ( from django.core import management from django.core.cache import caches from django.core.cache.backends.base import InvalidCacheBackendError -from django.core.exceptions import ImproperlyConfigured +from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation from django.http import HttpResponse from django.test import ( RequestFactory, TestCase, ignore_warnings, override_settings, @@ -704,14 +704,15 @@ class SessionMiddlewareTests(TestCase): request.session.save(must_create=True) request.session.delete() - # Handle the response through the middleware. It will try to save the - # deleted session which will cause an UpdateError that's caught and - # results in a redirect to the original page. - response = middleware.process_response(request, response) - - # Check that the response is a redirect. - self.assertEqual(response.status_code, 302) - self.assertEqual(response['Location'], path) + msg = ( + "The request's session was deleted before the request completed. " + "The user may have logged out in a concurrent request, for example." + ) + with self.assertRaisesMessage(SuspiciousOperation, msg): + # Handle the response through the middleware. It will try to save + # the deleted session which will cause an UpdateError that's caught + # and raised as a SuspiciousOperation. + middleware.process_response(request, response) def test_session_delete_on_end(self): request = RequestFactory().get('/') |
