烧瓶在单元测试中禁用CSRF [英] Flask disable CSRF in unittest

问题描述

在我的项目__init__.py中，我有这个:

In my projects __init__.py I have this:

app = Flask(__name__)
app.config.from_object('config')
CsrfProtect(app)
db = SQLAlchemy(app)

我的开发配置文件如下:

My development config file looks like:

import os
basedir = os.path.abspath(os.path.dirname(__file__))

DEBUG = True
WTF_CSRF_ENABLED = True
SECRET_KEY = 'supersecretkey'
SQLALCHEMY_DATABASE_URI = 'sqlite:///' + os.path.join(basedir, 'project.db')
SQLALCHEMY_TRACK_MODIFICATIONS = False

在我的单元测试设置中，我有这个:

And in my unittest setUp I have this:

from project import app, db

class ExampleTest(unittest.TestCase):
   def setUp(self):
        app.config['TESTING'] = True
        app.config['WTF_CSRF_ENABLED'] = False
        app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite://'
        self.app = app.test_client()
        db.create_all()

理论上，在此处将WTF_CSRF_ENABLED设置为False应该可以防止单元测试使用CSRF，但是如果在单元测试期间执行POST，我仍然会收到CSRF错误.我认为这是因为我已经调用了CsrfProtect(app)，而WTF_CSRF_ENABLED为True(当我导入应用程序时，它被称为).如果我在配置文件中设置WTF_CSRF_ENABLED = False，它将按预期工作.

In theory, setting WTF_CSRF_ENABLED to False here should prevent CSRF for the unit tests, however I'm still getting CSRF errors if I do a POST while unit testing. I think it is because I have already called CsrfProtect(app) while WTF_CSRF_ENABLED is True (when I import app, it is called). If I set WTF_CSRF_ENABLED = False in the config file, it works as expected.

在启用CSRF之后，是否仍然可以禁用CSRF?还是我在这里树错树了?

Is there anyway I can disable CSRF after it has already been enabled? Or am I barking up the wrong tree here?

推荐答案

查看csrf_protect的代码，每次进入请求时，它都会检查app.config ['WTF_CSRF_METHODS']，以查看此请求类型是否应受CSRF保护.默认情况下，受保护的方法是:

Looking at the code for csrf_protect, it checks app.config['WTF_CSRF_METHODS'] every time a request comes in to see if this request type should be CSRF protected. By default the protected methods are:

app.config.setdefault('WTF_CSRF_METHODS', ['POST', 'PUT', 'PATCH'])

由于它实际上每次都会检查app.config，因此只需在我的单元测试setUp中将其更改为空列表即可解决此问题:

Because it actually checks the app.config every time, simply changing this to an empty list in my unit tests setUp resolves the issue:

from project import app, db

class ExampleTest(unittest.TestCase):
   def setUp(self):
        app.config['TESTING'] = True
        app.config['WTF_CSRF_METHODS'] = []  # This is the magic
        app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite://'
        self.app = app.test_client()
        db.create_all()

Alternetly，它确实向app.before_request()注册了csrf保护，因此我认为可以通过修改

Alternetly, it does register the csrf protection with app.before_request(), so I think it may be possible to unregister it by modifying the before request functions. But I think going that route would be more likely to see problems on future updates.

这篇关于烧瓶在单元测试中禁用CSRF的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！