Add a testcase which checks all URLs that they are not accessible for non-logged in users

basxsoftwareassociation / bread

Engine to create database applications based on Django and the IBM Carbon Design System

BSD 3-Clause "New" or "Revised" License

19 stars 2 forks source link

Add a testcase which checks all URLs that they are not accessible for non-logged in users #90

Closed saemideluxe closed 2 years ago

saemideluxe commented 2 years ago

Reasoning: Because almost all pages/views in bread projects are no public, we want to make sure that there are no pages which are accidentally accessible by anonymous users.

Concep:

Get a list of all urlpatterns of the current django configuration
For each URL:
- Try to generate a valid URL (sometimes a stub value needs to be inserted into the URL
- Access the URL via the test client (see https://docs.djangoproject.com/en/dev/topics/testing/tools/)
- Make sure the response is HTTP FORBIDDEN (except for login and passwort-reset views)

There is already an existing test-directory in the project.

saemideluxe commented 2 years ago

I think this will take some time to implement.
The implementation should happen inside bread
In order to test it with many URLs the test should be run from the basxconnect_demo project. (with ./manage.py test bread)

dward2nd commented 2 years ago

Sorry, I closed the wrong one.

dward2nd commented 2 years ago

The current progress of this issue can be seen in the feature/administrationmenu repo. Currently, the method to check the visibility isn't guaranteed to be the optimal one so far. The TestCase was made to check a selected amount of views. Those urlpatterns outside bread (especially basxconnect) are currently ignored.

dward2nd commented 2 years ago

Done in #98