diff --git a/hc/front/tests/test_add_channel.py b/hc/front/tests/test_add_channel.py index 90781732..3944fb54 100644 --- a/hc/front/tests/test_add_channel.py +++ b/hc/front/tests/test_add_channel.py @@ -39,3 +39,40 @@ class AddChannelTestCase(TestCase): url = "/integrations/add_%s/" % frag r = self.client.get(url) self.assertContains(r, "Integration Settings", status_code=200) + + def test_it_adds_pushover_channel(self): + self.client.login(username="alice", password="password") + + session = self.client.session + session["po_nonce"] = "n" + session.save() + + params = "pushover_user_key=a&nonce=n&prio=0" + r = self.client.get("/integrations/add_pushover/?%s" % params) + assert r.status_code == 302 + + channels = list(Channel.objects.all()) + assert len(channels) == 1 + assert channels[0].value == "a|0" + + def test_it_validates_pushover_priority(self): + self.client.login(username="alice", password="password") + + session = self.client.session + session["po_nonce"] = "n" + session.save() + + params = "pushover_user_key=a&nonce=n&prio=abc" + r = self.client.get("/integrations/add_pushover/?%s" % params) + assert r.status_code == 400 + + def test_it_validates_pushover_nonce(self): + self.client.login(username="alice", password="password") + + session = self.client.session + session["po_nonce"] = "n" + session.save() + + params = "pushover_user_key=a&nonce=INVALID&prio=0" + r = self.client.get("/integrations/add_pushover/?%s" % params) + assert r.status_code == 403 diff --git a/hc/front/views.py b/hc/front/views.py index 8edbb8f3..14eb8df1 100644 --- a/hc/front/views.py +++ b/hc/front/views.py @@ -350,13 +350,22 @@ def add_pushover(request): return redirect(subscription_url) # Handle successful subscriptions - if "pushover_user_key" in request.GET and "nonce" in request.GET and "prio" in request.GET: + if "pushover_user_key" in request.GET: + if "nonce" not in request.GET or "prio" not in request.GET: + return HttpResponseBadRequest() + # Validate nonce - if request.GET["nonce"] != request.session.get("po_nonce", None): + if request.GET["nonce"] != request.session.get("po_nonce"): return HttpResponseForbidden() + + # Validate priority + if request.GET["prio"] not in ("-2", "-1", "0", "1", "2"): + return HttpResponseBadRequest() + + # All looks well-- del request.session["po_nonce"] - if request.GET.get("pushover_unsubscribed", "0") == "1": + if request.GET.get("pushover_unsubscribed") == "1": # Unsubscription: delete all Pushover channels for this user Channel.objects.filter(user=request.user, kind="po").delete() return redirect("hc-channels") @@ -370,7 +379,7 @@ def add_pushover(request): "value": "%s|%d" % (user_key, priority), }) - # Integration Settings form + # Show Integration Settings form ctx = { "page": "channels", "po_retry_delay": td(seconds=settings.PUSHOVER_EMERGENCY_RETRY_DELAY),