one security test is not working with bwcompat is True
With this #435 (closed), I spotted that this test : https://forge.extranet.logilab.fr/cubicweb/cubicweb/-/blob/branch/default/cubicweb/web/test/unittest_views_basecontrollers.py#L1245 is not working with cubicweb.bwcompat = True
Traceback (most recent call last):
File "/home/fferry/src/projets/cubicweb/cubicweb/pyramid/bwcompat.py", line 344, in __call__
response = self.handler(request)
File "/home/fferry/src/projets/venv-cubicweb37/lib/python3.7/site-packages/pyramid/router.py", line 148, in handle_request
registry, request, context, context_iface, view_name
File "/home/fferry/src/projets/venv-cubicweb37/lib/python3.7/site-packages/pyramid/view.py", line 683, in _call_view
response = view_callable(context, request)
File "/home/fferry/src/projets/venv-cubicweb37/lib/python3.7/site-packages/pyramid/config/views.py", line 169, in __call__
return view(context, request)
File "/home/fferry/src/projets/venv-cubicweb37/lib/python3.7/site-packages/pyramid/config/views.py", line 188, in attr_view
return view(context, request)
File "/home/fferry/src/projets/venv-cubicweb37/lib/python3.7/site-packages/pyramid/config/views.py", line 214, in predicate_wrapper
return view(context, request)
File "/home/fferry/src/projets/venv-cubicweb37/lib/python3.7/site-packages/pyramid/viewderivers.py", line 513, in csrf_view
check_csrf_token(request, token, header, raises=True)
File "/home/fferry/src/projets/venv-cubicweb37/lib/python3.7/site-packages/pyramid/csrf.py", line 240, in check_csrf_token
raise BadCSRFToken('check_csrf_token(): Invalid token')
pyramid.exceptions.BadCSRFToken: check_csrf_token(): Invalid token
Error
Traceback (most recent call last):
File "/usr/lib/python3.7/unittest/case.py", line 59, in testPartExecutor
yield
File "/usr/lib/python3.7/unittest/case.py", line 615, in run
testMethod()
File "/home/fferry/src/projets/cubicweb/cubicweb/web/test/unittest_views_basecontrollers.py", line 1246, in test_http_error_codes_auth_succeed
url, params={}, do_not_grab_the_crsf_token=True, status=303
File "/home/fferry/src/projets/cubicweb/cubicweb/pyramid/test/__init__.py", line 57, in post
return super().post(route, params, **kwargs)
File "/home/fferry/src/projets/venv-cubicweb37/lib/python3.7/site-packages/webtest/app.py", line 372, in post
content_type=content_type)
File "/home/fferry/src/projets/venv-cubicweb37/lib/python3.7/site-packages/webtest/app.py", line 750, in _gen_request
expect_errors=expect_errors)
File "/home/fferry/src/projets/venv-cubicweb37/lib/python3.7/site-packages/webtest/app.py", line 646, in do_request
self._check_status(status, res)
File "/home/fferry/src/projets/venv-cubicweb37/lib/python3.7/site-packages/webtest/app.py", line 681, in _check_status
"Bad response: %s (not %s)\n%s", res_status, status, res)
webtest.app.AppError: Bad response: 400 Bad CSRF Token (not 303)
400 Bad CSRF Token
Access is denied. This server can not verify that your cross-site request forgery token belongs to your login session. Either you supplied the wrong cross-site request forgery token or your session no longer exists. This may be due to session timeout or because browser is not supplying the credentials required, as can happen when the browser has cookies turned off.
check_csrf_token(): Invalid token
Ran 1 test in 0.851s
FAILED (errors=1)