* brett/itsdangerous:
Call is_updated instead of testing it boolean.
Harden It's Dangerous key management.
First tests for the Session class.
Set a starting value for session.send_new_cookie.
Remove beaker stuff from the code.
Delete the session cookie on an empty session.
Back sessions with It's Dangerous.
Improve fs security for itsdangerous secret.
Docs for get_timed_signer_url.
Basic itsdangerous infrastructure.
Conflicts:
mediagoblin/tests/test_cache.py
When using tempfile.* in testing, those files get created
in the system tempdir. The docs say, we should try to
remove them.
Yes, the next reboot will clean them up also.
And in the workbench case, check after each test, that the
global workbench dir is empty (so the sub-workbcnhes have
been destroyed).
* cwebber/254_delete_queue_directories:
Removing docstring bit about delete_file possibly deleting directories in the future
Convert media processing backends to delete the queue directory (#254)
Implement delete_dir in the FileStorage
Conflicts:
mediagoblin/media_types/image/processing.py
mediagoblin/media_types/video/processing.py
Conflicts, because those media_types already use the newer
proc_state.delete_queue_file() method (which needs
updating.
If you give "-n 8" to runtests, it thinks, it got
"-n" -- a nice option, ignored.
"8" -- Oh! a single test named "8" to run, so no need to
run all the GMG tests.
Well, that's not what we want. So runtests now knows about
-n taking an arg.
Initially I was going to write a failing test for refresh tokens. Thus
this fix includes an orphaned 'expect_failure' method in test utils.
I ended up writing support for OAuth refresh tokens, as well as a lot of
cleanup (hopefully) in the OAuth plugin code.
**Rebase**: While waiting for this stuff to be merged, the testing
framework changed, it comes with batteries included regarding fails.
Removed legacy nosetest helper.
Also added a lot of backref=backref([...], cascade='all, delete-orphan')
By doing this, we can take advantage of py.test's ability to create
temporary directories that are then cleaned up later during testing.
This helps for sandboxing things.
This also involves a ton of changes:
- Changing the get_app stuff appropriately, getting rid of the
setup_fresh_app decorator
- Making said fixture
- Switching over a billion tests to use it
* JDShu/649_use_form_data_field:
Use WTForms data field in user_pages/views.py
Use WTForms data field in auth/views.py
auth: whitespace cleanup in views.py
Use WTForms data field in plugins/oauth/views.py
Use WTForms data field in submit/views.py
Use WTForms data field in edit/views.py
The previous code was theoretically subject to timing attacks, where
an attacker could read the key in between the time it was saved to the
file and when the chmod happened. This version prevents that by using
umasks to ensure the files always have the right permissions.
This version also avoids using a key that cannot be saved due to some
system setup bug.
This makes session.__init__ slightly more complicated but probably
simplifies everything else, especially if we make the class smarter
later by having it track changes itself.
