Use a safer POST for removepassword, adjust tests

3 years ago · dc1594b04f
parent f2fa638480
commit dc1594b04f
5 changed files with 130 additions and 27 deletions
--- a/changedetectionio/init.py
+++ b/changedetectionio/init.py
@ -610,16 +610,15 @@ def changedetection_app(config=None, datastore_o=None):
            form.notification_format.data = datastore.data['settings']['application']['notification_format']
            form.base_url.data = datastore.data['settings']['application']['base_url']

-            # Password unset is a GET, but we can lock the session to always need the password
-            if not os.getenv("SALTED_PASS", False) and request.values.get('removepassword') == 'yes':
-                from pathlib import Path
+        if request.method == 'POST' and form.data.get('removepassword_button') == True:
+            # Password unset is a GET, but we can lock the session to a salted env password to always need the password
+            if not os.getenv("SALTED_PASS", False):
                datastore.data['settings']['application']['password'] = False
                flash("Password protection removed.", 'notice')
                flask_login.logout_user()
                return redirect(url_for('settings_page'))

        if request.method == 'POST' and form.validate():
-
            datastore.data['settings']['application']['notification_urls'] = form.notification_urls.data
            datastore.data['settings']['requests']['minutes_between_check'] = form.minutes_between_check.data
            datastore.data['settings']['application']['extract_title_as_title'] = form.extract_title_as_title.data
--- a/changedetectionio/forms.py
+++ b/changedetectionio/forms.py
@ -353,3 +353,5 @@ class globalSettingsForm(commonSettingsForm):
    global_subtractive_selectors = StringListField('Remove elements', [ValidateCSSJSONXPATHInput(allow_xpath=False, allow_json=False)])
    global_ignore_text = StringListField('Ignore Text', [ValidateListRegex()])
    ignore_whitespace = BooleanField('Ignore whitespace')
+    save_button = SubmitField('Save', render_kw={"class": "pure-button pure-button-primary"})
+    removepassword_button = SubmitField('Remove password', render_kw={"class": "pure-button pure-button-primary"})
--- a/changedetectionio/poop.txt
+++ b/changedetectionio/poop.txt
@ -0,0 +1,91 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <meta name="description" content="Self hosted website change detection.">
+    <title>Change Detection</title>
+    <link rel="stylesheet" href="/static/styles/pure-min.css">
+    <link rel="stylesheet" href="/static/styles/styles.css">
+    
+    <style>
+    body::before {
+        background-image: url(/static/images/gradient-border.png);
+    }
+    </style>
+</head>
+
+<body>
+
+<div class="header">
+
+    <div class="home-menu pure-menu pure-menu-horizontal pure-menu-fixed" id="nav-menu">
+        
+            <a class="pure-menu-heading" href="/"><strong>Change</strong>Detection.io</a>
+        
+        
+        
+        
+
+        <ul class="pure-menu-list"  id="top-right-menu">
+        
+            
+            <li class="pure-menu-item">
+                <a href="/settings" class="pure-menu-link">SETTINGS</a>
+            </li>
+            <li class="pure-menu-item">
+                <a href="/import" class="pure-menu-link">IMPORT</a>
+            </li>
+            <li class="pure-menu-item">
+                <a href="/backup" class="pure-menu-link">BACKUP</a>
+            </li>
+            
+        
+
+        
+            <li class="pure-menu-item"><a class="github-link" href="https://github.com/dgtlmoon/changedetection.io">
+                <svg class="octicon octicon-mark-github v-align-middle" height="32" viewBox="0 0 16 16"
+                     version="1.1"
+                     width="32" aria-hidden="true">
+                    <path fill-rule="evenodd"
+                          d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"></path>
+                </svg>
+            </a></li>
+        </ul>
+    </div>
+</div>
+
+
+
+<section class="content">
+    <header>
+        
+    </header>
+
+    
+      
+    
+    
+<div class="login-form">
+ <div class="inner">
+    <form class="pure-form pure-form-stacked" action="/login" method="POST">
+        <fieldset>
+            <div class="pure-control-group">
+                <label for="password">Password</label>
+                <input type="password" id="password" required="" name="password" value=""
+                       size="15"/>
+                <input type="hidden" id="email" name="email" value="defaultuser@changedetection.io" />
+            </div>
+            <div class="pure-control-group">
+                <button type="submit" class="pure-button pure-button-primary">Login</button>
+            </div>
+        </fieldset>
+    </form>
+  </div>
+ </div>
+
+
+</section>
+
+</body>
+</html>
--- a/changedetectionio/templates/settings.html
+++ b/changedetectionio/templates/settings.html
@ -1,7 +1,7 @@
 {% extends 'base.html' %}

 {% block content %}
-{% from '_helpers.jinja' import render_field %}
+{% from '_helpers.jinja' import render_field, render_button %}
 {% from '_common_fields.jinja' import render_common_settings_form %}

 <script type="text/javascript" src="{{url_for('static_content', group='js', filename='settings.js')}}" defer></script>
@ -27,8 +27,7 @@
                    <div class="pure-control-group">
                        {% if not hide_remove_pass %}
                            {% if current_user.is_authenticated %}
-                            <a href="{{url_for('settings_page', removepassword='yes')}}"
-                               class="pure-button pure-button-primary">Remove password</a>
+                                {{ render_button(form.removepassword_button) }}
                            {% else %}
                            {{ render_field(form.password) }}
                            <span class="pure-form-message-inline">Password protection for your changedetection.io application.</span>
@ -114,11 +113,9 @@ nav

            <div id="actions">
                <div class="pure-control-group">
-                    <button type="submit" class="pure-button pure-button-primary">Save</button>
-                                           <a href="{{url_for('index')}}" class="pure-button button-small button-cancel">Back</a>
-                        <a href="{{url_for('scrub_page')}}" class="pure-button button-small button-cancel">Delete
-                            History
-                            Snapshot Data</a>
+                    {{ render_button(form.save_button) }}
+                    <a href="{{url_for('index')}}" class="pure-button button-small button-cancel">Back</a>
+                    <a href="{{url_for('scrub_page')}}" class="pure-button button-small button-cancel">Delete History Snapshot Data</a>
                </div>
            </div>
        </form>
--- a/changedetectionio/tests/test_access_control.py
+++ b/changedetectionio/tests/test_access_control.py
@ -4,8 +4,8 @@ from flask import url_for
 def test_check_access_control(app, client):
    # Still doesnt work, but this is closer.

-    with app.test_client() as c:
-        # Check we dont have any password protection enabled yet.
+    with app.test_client(use_cookies=True) as c:
+        # Check we don't have any password protection enabled yet.
        res = c.get(url_for("settings_page"))
        assert b"Remove password" not in res.data

@ -46,15 +46,20 @@ def test_check_access_control(app, client):
        assert b"BACKUP" in res.data
        assert b"IMPORT" in res.data
        assert b"LOG OUT" in res.data
+        assert b"minutes_between_check" in res.data
+        assert b"fetch_backend" in res.data

-        # Now remove the password so other tests function, @todo this should happen before each test automatically
-        res = c.get(url_for("settings_page", removepassword="yes"),
-              follow_redirects=True)
-        assert b"Password protection removed." in res.data
-
-        res = c.get(url_for("index"))
-        assert b"LOG OUT" not in res.data
-
+        res = c.post(
+            url_for("settings_page"),
+            data={
+                "minutes_between_check": 180,
+                "tag": "",
+                "headers": "",
+                "fetch_backend": "html_webdriver",
+                "removepassword_button": "Remove password"
+            },
+            follow_redirects=True,
+        )

 # There was a bug where saving the settings form would submit a blank password
 def test_check_access_control_no_blank_password(app, client):
@ -71,8 +76,7 @@ def test_check_access_control_no_blank_password(app, client):
            data={"password": "",
                  "minutes_between_check": 180,
                  'fetch_backend': "html_requests"},
-
-        follow_redirects=True
+            follow_redirects=True
        )

        assert b"Password protection enabled." not in res.data
@ -91,7 +95,8 @@ def test_check_access_no_remote_access_to_remove_password(app, client):
        # Enable password check.
        res = c.post(
            url_for("settings_page"),
-            data={"password": "password", "minutes_between_check": 180,
+            data={"password": "password",
+                  "minutes_between_check": 180,
                  'fetch_backend': "html_requests"},
            follow_redirects=True
        )
@ -99,8 +104,17 @@ def test_check_access_no_remote_access_to_remove_password(app, client):
        assert b"Password protection enabled." in res.data
        assert b"Login" in res.data

-        res = c.get(url_for("settings_page", removepassword="yes"),
-              follow_redirects=True)
+        res = c.post(
+            url_for("settings_page"),
+            data={
+                "minutes_between_check": 180,
+                "tag": "",
+                "headers": "",
+                "fetch_backend": "html_webdriver",
+                "removepassword_button": "Remove password"
+            },
+            follow_redirects=True,
+        )
        assert b"Password protection removed." not in res.data

        res = c.get(url_for("index"),