Test security of widget

jrwagz · Jan 29, 2014 · a284841 · a284841
1 parent 4e4a993
commit a284841
Showing 1 changed file with 20 additions and 6 deletions.
diff --git a/autocomplete_light/tests/widgets.py b/autocomplete_light/tests/widgets.py
@@ -1,26 +1,26 @@
-import re
-import unittest
-
-from lxml import etree
+from lxml.html import etree
 from lxml.cssselect import CSSSelector
 
 try:
     from unittest import mock
 except ImportError:  # python2
     import mock
 
-from django import template
+from django.test import TestCase
+
 import autocomplete_light
 
 from ..example_apps.basic.models import FkModel
+from ..example_apps.security_test.models import Item
 
 
 class LazyAutocomplete(autocomplete_light.AutocompleteModelBase):
     pass
 
 
-class WidgetBaseTestCase(unittest.TestCase):
+class WidgetBaseTestCase(TestCase):
     widget_class = autocomplete_light.WidgetBase
+    fixtures = ['security_test.json']
 
     def autocomplete_input(self, et):
         return CSSSelector('input.autocomplete')(et)[0]
@@ -152,6 +152,17 @@ def test_lazy_autcomplete_access(self):
             self.fail('widget.autocomplete access should not raise '
                       'AutocompleteNotRegistered')
 
+    def test_value_out_of_queryset(self):
+        widget = self.widget_class('ItemAutocomplete')
+        html = widget.render('somewidget', [1, 2])
+        span = etree.fromstring(html)
+
+        choices = CSSSelector('[data-value]')(span)
+
+        self.assertEqual(len(choices), 1)
+        self.assertEqual(int(choices[0].attrib['data-value']), 1)
+
+
 class ChoiceWidgetTestCase(WidgetBaseTestCase):
     widget_class = autocomplete_light.ChoiceWidget
 
@@ -180,3 +191,6 @@ def test_autocomplete_widget_template(self):
 
     def test_widget_attrs(self):
         pass  # no widget_attrs for TextWidget
+
+    def test_value_out_of_queryset(self):
+        pass  # no queryset for text widget