APPRISE_CONFIG_LOCK switch added for extra security (#57)

apprise_api/api/tests/test_add.py

@@ -25,6 +25,7 @@
 from django.test import SimpleTestCase
 from apprise import ConfigFormat
 from unittest.mock import patch
+from django.test.utils import override_settings
 from ..forms import AUTO_DETECT_CONFIG_KEYWORD
 import json
 
@@ -38,6 +39,19 @@ class AddTests(SimpleTestCase):
         response = self.client.get('/add/**invalid-key**')
         assert response.status_code == 404
 
+    @override_settings(APPRISE_CONFIG_LOCK=True)
+    def test_save_config_by_urls_with_lock(self):
+        """
+        Test adding a configuration by URLs with lock set won't work
+        """
+        # our key to use
+        key = 'test_save_config_by_urls_with_lock'
+
+        # We simply do not have permission to do so
+        response = self.client.post(
+            '/add/{}'.format(key), {'urls': 'mailto://user:pass@yahoo.ca'})
+        assert response.status_code == 403
+
     def test_save_config_by_urls(self):
         """
         Test adding an configuration by URLs
@@ -99,6 +113,22 @@ class AddTests(SimpleTestCase):
         )
         assert response.status_code == 200
 
+        # Test with JSON (and no payload provided)
+        response = self.client.post(
+            '/add/{}'.format(key),
+            data=json.dumps({}),
+            content_type='application/json',
+        )
+        assert response.status_code == 400
+
+        # Test with XML which simply isn't supported
+        response = self.client.post(
+            '/add/{}'.format(key),
+            data='<urls><url>mailto://user:pass@yahoo.ca</url></urls>',
+            content_type='application/xml',
+        )
+        assert response.status_code == 400
+
         # Invalid JSON
         response = self.client.post(
             '/add/{}'.format(key),

apprise_api/api/tests/test_del.py

@@ -23,6 +23,7 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 # THE SOFTWARE.
 from django.test import SimpleTestCase
+from django.test.utils import override_settings
 from unittest.mock import patch
 
 
@@ -35,6 +36,18 @@ class DelTests(SimpleTestCase):
         response = self.client.get('/del/**invalid-key**')
         assert response.status_code == 404
 
+    @override_settings(APPRISE_CONFIG_LOCK=True)
+    def test_del_with_lock(self):
+        """
+        Test deleting a configuration by URLs with lock set won't work
+        """
+        # our key to use
+        key = 'test_delete_with_lock'
+
+        # We simply do not have permission to do so
+        response = self.client.post('/del/{}'.format(key))
+        assert response.status_code == 403
+
     def test_del_post(self):
         """
         Test DEL POST

apprise_api/api/tests/test_json_urls.py

@@ -23,6 +23,7 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 # THE SOFTWARE.
 from django.test import SimpleTestCase
+from django.test.utils import override_settings
 from unittest.mock import patch
 
 
@@ -110,6 +111,23 @@ class JsonUrlsTests(SimpleTestCase):
         assert 'tags' in response.json()['urls'][0]
         assert len(response.json()['urls'][0]['tags']) == 0
 
+        # We can see that th URLs are not the same when the privacy flag is set
+        without_privacy = \
+            self.client.get('/json/urls/{}?privacy=1'.format(key))
+        with_privacy = self.client.get('/json/urls/{}'.format(key))
+        assert with_privacy.json()['urls'][0] != \
+            without_privacy.json()['urls'][0]
+
+        with override_settings(APPRISE_CONFIG_LOCK=True):
+            # When our configuration lock is set, our result set enforces the
+            # privacy flag even if it was otherwise set:
+            with_privacy = \
+                self.client.get('/json/urls/{}?privacy=1'.format(key))
+
+            # But now they're the same under this new condition
+            assert with_privacy.json()['urls'][0] == \
+                without_privacy.json()['urls'][0]
+
         # Add a YAML file
         response = self.client.post(
             '/add/{}'.format(key), {

apprise_api/api/tests/test_stateful_notify.py

@@ -23,6 +23,7 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 # THE SOFTWARE.
 from django.test import SimpleTestCase
+from django.test.utils import override_settings
 from unittest.mock import patch
 from ..forms import NotifyForm
 from ..utils import ConfigCache
@@ -36,6 +37,20 @@ class StatefulNotifyTests(SimpleTestCase):
     Test stateless notifications
     """
 
+    @override_settings(APPRISE_CONFIG_LOCK=True)
+    def test_stateful_configuration_with_lock(self):
+        """
+        Test the retrieval of configuration when the lock is set
+        """
+        # our key to use
+        key = 'test_stateful_with_lock'
+
+        # It doesn't matter if there is or isn't any configuration; when this
+        # flag is set. All that overhead is skipped and we're denied access
+        # right off the bat
+        response = self.client.post('/get/{}'.format(key))
+        assert response.status_code == 403
+
     @patch('apprise.Apprise.notify')
     def test_stateful_configuration_io(self, mock_notify):
         """