From aa5d19c5e5de54224b0e9641d847ba31698208a0 Mon Sep 17 00:00:00 2001
From: bronsen <kontakt+gitcommit@nrrd.de>
Date: Sat, 15 Mar 2025 22:26:36 +0100
Subject: [PATCH] [collector] ensure endpoint only accepts POST requests
---
collector/tests.py | 20 ++++++++++++++++++++
collector/views.py | 2 ++
2 files changed, 22 insertions(+)
diff --git a/collector/tests.py b/collector/tests.py
index 3a97ee6..c23355f 100644
--- a/collector/tests.py
+++ b/collector/tests.py
@@ -7,6 +7,7 @@ from .models import Teil
names = st.text(alphabet=st.characters(exclude_categories=["C"]), min_size=1)
+
@given(data=names)
def test_submitted_data_ends_up_in_database(data, session: Client):
with pytest.raises(Teil.DoesNotExist):
@@ -29,3 +30,22 @@ def test_entering_same_name_twice_does_not_change_database_entry(data, session:
assert response.status_code == 302
assert Teil.objects.filter(name=data).count() == 1
+
+@pytest.mark.parametrize(
+ "http_method,expected_status",
+ [
+ ("GET", 405),
+ ("PATCH", 405),
+ ("POST", 302),
+ ("PUT", 405),
+ ],
+)
+def test_enter_endpoint_accepts_only_post_requests(
+ client: Client, http_method: str, expected_status: int, random_name
+):
+ request_method = getattr(client, http_method.lower())
+
+ response = request_method(
+ reverse("collector:enter"), data={"new_name": random_name(8)}
+ )
+ assert response.status_code == expected_status
diff --git a/collector/views.py b/collector/views.py
index 13d7a09..5e25b6b 100644
--- a/collector/views.py
+++ b/collector/views.py
@@ -6,6 +6,7 @@ from django.db.models import QuerySet
from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
from django.urls import reverse
from django.views import generic
+from django.views.decorators.http import require_http_methods
from .models import Teil
@@ -44,6 +45,7 @@ class DetailView(generic.DetailView):
return context
+@require_http_methods(["POST"])
def enter(request: HttpRequest) -> HttpResponse:
try:
with transaction.atomic():