mirror of
https://github.com/dgtlmoon/changedetection.io.git
synced 2026-01-23 15:40:19 +00:00
3d14df6a11
Multi-language / Translations Support (#3696) - Complete internationalization system implemented - Support for 7 languages: Czech (cs), German (de), French (fr), Italian (it), Korean (ko), Chinese Simplified (zh), Chinese Traditional (zh_TW) - Language selector with localized flags and theming - Flash message translations - Multiple translation fixes and improvements across all languages - Language setting preserved across redirects Pluggable Content Fetchers (#3653) - New architecture for extensible content fetcher system - Allows custom fetcher implementations Image / Screenshot Comparison Processor (#3680) - New processor for visual change detection (disabled for this release) - Supporting CSS/JS infrastructure added UI Improvements Design & Layout - Auto-generated tag color schemes - Simplified login form styling - Removed hard-coded CSS, moved to SCSS variables - Tag UI cleanup and improvements - Automatic tab wrapper functionality - Menu refactoring for better organization - Cleanup of offset settings - Hide sticky tabs on narrow viewports - Improved responsive layout (#3702) User Experience - Modal alerts/confirmations on delete/clear operations (#3693, #3598, #3382) - Auto-add https:// to URLs in quickwatch form if not present - Better redirect handling on login (#3699) - 'Recheck all' now returns to correct group/tag (#3673) - Language set redirect keeps hash fragment - More friendly human-readable text throughout UI Performance & Reliability Scheduler & Processing - Soft delays instead of blocking time.sleep() calls (#3710) - More resilient handling of same UUID being processed (#3700) - Better Puppeteer timeout handling - Improved Puppeteer shutdown/cleanup (#3692) - Requests cleanup now properly async History & Rendering - Faster server-side "difference" rendering on History page (#3442) - Show ignored/triggered rows in history - API: Retry watch data if watch dict changed (more reliable) API Improvements - Watch get endpoint: retry mechanism for changed watch data - WatchHistoryDiff API endpoint includes extra format args (#3703) Testing Improvements - Replace time.sleep with wait_for_notification_endpoint_output (#3716) - Test for mode switching (#3701) - Test for #3720 added (#3725) - Extract-text difference test fixes - Improved dev workflow Bug Fixes - Notification error text output (#3672, #3669, #3280) - HTML validation fixes (#3704) - Template discovery path fixes - Notification debug log now uses system locale for dates/times - Puppeteer spelling mistake in log output - Recalculation on anchor change - Queue bubble update disabled temporarily Dependency Updates - beautifulsoup4 updated (#3724) - psutil 7.1.0 → 7.2.1 (#3723) - python-engineio ~=4.12.3 → ~=4.13.0 (#3707) - python-socketio ~=5.14.3 → ~=5.16.0 (#3706) - flask-socketio ~=5.5.1 → ~=5.6.0 (#3691) - brotli ~=1.1 → ~=1.2 (#3687) - lxml updated (#3590) - pytest ~=7.2 → ~=9.0 (#3676) - jsonschema ~=4.0 → ~=4.25 (#3618) - pluggy ~=1.5 → ~=1.6 (#3616) - cryptography 44.0.1 → 46.0.3 (security) (#3589) Documentation - README updated with viewport size setup information Development Infrastructure - Dev container only built on dev branch - Improved dev workflow tooling
187 lines
6.8 KiB
Python
187 lines
6.8 KiB
Python
from .util import live_server_setup, wait_for_all_checks
|
|
from flask import url_for
|
|
import time
|
|
|
|
def test_check_access_control(app, client, live_server, measure_memory_usage, datastore_path):
|
|
# Still doesnt work, but this is closer.
|
|
# live_server_setup(live_server) # Setup on conftest per function
|
|
|
|
with app.test_client(use_cookies=True) as c:
|
|
# Check we don't have any password protection enabled yet.
|
|
res = c.get(url_for("settings.settings_page"))
|
|
assert b"Remove password" not in res.data
|
|
|
|
# add something that we can hit via diff page later
|
|
res = c.post(
|
|
url_for("imports.import_page"),
|
|
data={"urls": url_for('test_random_content_endpoint', _external=True)},
|
|
follow_redirects=True
|
|
)
|
|
|
|
assert b"1 Imported" in res.data
|
|
# causes a 'Popped wrong request context.' error when client. is accessed?
|
|
wait_for_all_checks(client)
|
|
|
|
res = c.get(url_for("ui.form_watch_checknow"), follow_redirects=True)
|
|
assert b'Queued 1 watch for rechecking.' in res.data
|
|
wait_for_all_checks(client)
|
|
|
|
|
|
# Enable password check and diff page access bypass
|
|
res = c.post(
|
|
url_for("settings.settings_page"),
|
|
data={"application-password": "foobar",
|
|
"application-shared_diff_access": "True",
|
|
"requests-time_between_check-minutes": 180,
|
|
'application-fetch_backend': "html_requests"},
|
|
follow_redirects=True
|
|
)
|
|
|
|
assert b"Password protection enabled." in res.data
|
|
|
|
# Check we hit the login
|
|
res = c.get(url_for("watchlist.index"), follow_redirects=True)
|
|
# Should be logged out
|
|
assert b"Login" in res.data
|
|
|
|
# The diff page should return something valid when logged out
|
|
res = c.get(url_for("ui.ui_diff.diff_history_page", uuid="first"))
|
|
assert b'Random content' in res.data
|
|
|
|
# access to assets should work (check_authentication)
|
|
res = c.get(url_for('static_content', group='js', filename='jquery-3.6.0.min.js'))
|
|
assert res.status_code == 200
|
|
res = c.get(url_for('static_content', group='styles', filename='styles.css'))
|
|
assert res.status_code == 200
|
|
res = c.get(url_for('static_content', group='styles', filename='404-testetest.css'))
|
|
assert res.status_code == 404
|
|
|
|
# Access to screenshots should be limited by 'shared_diff_access'
|
|
path = url_for('static_content', group='screenshot', filename='random-uuid-that-will-404.png', _external=True)
|
|
res = c.get(path)
|
|
assert res.status_code == 404
|
|
|
|
# Check wrong password does not let us in
|
|
res = c.post(
|
|
url_for("login"),
|
|
data={"password": "WRONG PASSWORD"},
|
|
follow_redirects=True
|
|
)
|
|
|
|
assert b"LOG OUT" not in res.data
|
|
assert b"Incorrect password" in res.data
|
|
|
|
|
|
# Menu should not be available yet
|
|
# assert b"SETTINGS" not in res.data
|
|
# assert b"BACKUP" not in res.data
|
|
# assert b"IMPORT" not in res.data
|
|
|
|
# defaultuser@changedetection.io is actually hardcoded for now, we only use a single password
|
|
res = c.post(
|
|
url_for("login"),
|
|
data={"password": "foobar"},
|
|
follow_redirects=True
|
|
)
|
|
|
|
# Yes we are correctly logged in
|
|
assert b"LOG OUT" in res.data
|
|
|
|
# 598 - Password should be set and not accidently removed
|
|
res = c.post(
|
|
url_for("settings.settings_page"),
|
|
data={
|
|
"requests-time_between_check-minutes": 180,
|
|
'application-fetch_backend': "html_requests"},
|
|
follow_redirects=True
|
|
)
|
|
|
|
res = c.get(url_for("logout"),
|
|
follow_redirects=True)
|
|
|
|
assert b"Login" in res.data
|
|
|
|
res = c.get(url_for("settings.settings_page"),
|
|
follow_redirects=True)
|
|
|
|
|
|
assert b"Login" in res.data
|
|
|
|
res = c.get(url_for("login"))
|
|
assert b"Login" in res.data
|
|
|
|
|
|
res = c.post(
|
|
url_for("login"),
|
|
data={"password": "foobar"},
|
|
follow_redirects=True
|
|
)
|
|
|
|
# Yes we are correctly logged in
|
|
assert b"LOG OUT" in res.data
|
|
|
|
res = c.get(url_for("settings.settings_page"))
|
|
|
|
# Menu should be available now
|
|
assert b"SETTINGS" in res.data
|
|
assert b"BACKUP" in res.data
|
|
assert b"IMPORT" in res.data
|
|
assert b"LOG OUT" in res.data
|
|
assert b"time_between_check-minutes" in res.data
|
|
assert b"fetch_backend" in res.data
|
|
|
|
##################################################
|
|
# Remove password button, and check that it worked
|
|
##################################################
|
|
res = c.post(
|
|
url_for("settings.settings_page"),
|
|
data={
|
|
"requests-time_between_check-minutes": 180,
|
|
"application-fetch_backend": "html_webdriver",
|
|
"application-removepassword_button": "Remove password"
|
|
},
|
|
follow_redirects=True,
|
|
)
|
|
assert b"Password protection removed." in res.data
|
|
assert b"LOG OUT" not in res.data
|
|
|
|
############################################################
|
|
# Be sure a blank password doesnt setup password protection
|
|
############################################################
|
|
res = c.post(
|
|
url_for("settings.settings_page"),
|
|
data={"application-password": "",
|
|
"requests-time_between_check-minutes": 180,
|
|
'application-fetch_backend': "html_requests"},
|
|
follow_redirects=True
|
|
)
|
|
|
|
assert b"Password protection enabled" not in res.data
|
|
|
|
# Now checking the diff access
|
|
# Enable password check and diff page access bypass
|
|
res = c.post(
|
|
url_for("settings.settings_page"),
|
|
data={"application-password": "foobar",
|
|
# Should be disabled
|
|
"application-shared_diff_access": "",
|
|
"requests-time_between_check-minutes": 180,
|
|
'application-fetch_backend': "html_requests"},
|
|
follow_redirects=True
|
|
)
|
|
|
|
assert b"Password protection enabled." in res.data
|
|
|
|
# Check we hit the login
|
|
res = c.get(url_for("watchlist.index"), follow_redirects=True)
|
|
# Should be logged out
|
|
assert b"Login" in res.data
|
|
|
|
# Access to screenshots should be limited by 'shared_diff_access'
|
|
res = c.get(url_for('static_content', group='screenshot', filename='random-uuid-that-will-403.png'))
|
|
assert res.status_code == 403
|
|
|
|
# The diff page should return something valid when logged out
|
|
res = c.get(url_for("ui.ui_diff.diff_history_page", uuid="first"))
|
|
assert b'Random content' not in res.data
|