1

I'm testing a Flask application that uses Flask-Principal for role based permissions and also granular resource protection. I'm not sure how to handle setting the identity in post requests. I'm using the testing strategy outlined in this other Flask-Principal post. I'm using the query string method for get requests and in post requests I changed query_string to headers. The get requests pass, but all the post requests fail with permission denied.

def test_admin(self):
    r = self.client.get('/admin')
    self.assertEqual(r.status_code, 403)
    #
    r = self.client.get('/admin', query_string={'idname': "member"})
    self.assertEqual(r.status_code, 403)
    #
    r = self.client.get('/admin', query_string={'idname': "admin"})
    self.assertEqual(r.status_code, 200)
    self.assertEqual(r.data, "OK")

Any help or insight would be appreciated. I think part of my problem is a lack of understanding as to how and where the identity is being set.

Community
  • 1
  • 1
bill__
  • 101
  • 1
  • 4

1 Answers1

0

As it turns out, the Flask-Principal Identity was being set correctly using the query_string during the tests involving post requests. The issue was that follow_redirects in the request was set to True and the Identity wasn't being loaded on the redirect. I removed the redirect and verified that the post requests were working by checking the database.

bill__
  • 101
  • 1
  • 4