From 03ee15a938cf72f713afeff2131687acfb9a262a Mon Sep 17 00:00:00 2001
From: Ben Busby <benbusby@protonmail.com>
Date: Tue, 27 Apr 2021 10:29:23 -0400
Subject: [PATCH] Add test for disabling config, update response code

Introduces a test to ensure the correct response code is found when
attempting to update the config when disabled, and ensure default config
is unchanged when posting a new config dict.

Attempting to update the config using the API when disabled now returns
a 403 code + redirect.
---
 app.json            |  1 -
 app/routes.py       |  4 ++--
 test/test_routes.py | 13 +++++++++++++
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/app.json b/app.json
index 99825cd..6889e5b 100644
--- a/app.json
+++ b/app.json
@@ -85,7 +85,6 @@
         "value": "",
         "required": false
     },
-
     "WHOOGLE_CONFIG_DARK": {
         "description": "[CONFIG] Enable dark mode (set to 1 or leave blank)",
         "value": "",
diff --git a/app/routes.py b/app/routes.py
index 46a8497..053cb72 100644
--- a/app/routes.py
+++ b/app/routes.py
@@ -241,7 +241,7 @@ def config():
     config_disabled = app.config['CONFIG_DISABLE']
     if request.method == 'GET':
         return json.dumps(g.user_config.__dict__)
-    elif request.method == 'PUT' and not config_disabled: 
+    elif request.method == 'PUT' and not config_disabled:
         if 'name' in request.args:
             config_pkl = os.path.join(
                 app.config['CONFIG_PATH'],
@@ -273,7 +273,7 @@ def config():
         session['config'] = config_data
         return redirect(config_data['url'])
     else:
-        return json.dumps({})
+        return redirect(url_for('.index'), code=403)
 
 
 @app.route('/url', methods=['GET'])
diff --git a/test/test_routes.py b/test/test_routes.py
index fda189d..12cdda3 100644
--- a/test/test_routes.py
+++ b/test/test_routes.py
@@ -1,3 +1,5 @@
+from app import app
+
 import json
 
 from test.conftest import demo_config
@@ -52,6 +54,17 @@ def test_config(client):
     assert rv._status_code == 200
     assert custom_config.replace('&', '&amp;') in str(rv.data)
 
+    # Test disabling changing config from client
+    app.config['CONFIG_DISABLE'] = 1
+    dark_mod = not demo_config['dark']
+    demo_config['dark'] = dark_mod
+    rv = client.post('/config', data=demo_config)
+    assert rv._status_code == 403
+
+    rv = client.get('/config')
+    config = json.loads(rv.data)
+    assert config['dark'] != dark_mod
+
 
 def test_opensearch(client):
     rv = client.get('/opensearch.xml')