Fix regression

The algorithm functions are delicately entangled, as the regression fixed here indicates. The fix is to be more conservative with reordering. I also moved the test over to be closer to a similar one.
gratipay · Nov 23, 2016 · e8ee77d · e8ee77d
1 parent 8872839
commit e8ee77d
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 5 deletions.
diff --git a/gratipay/main.py b/gratipay/main.py
@@ -99,12 +99,12 @@
     algorithm['parse_environ_into_request'],
     algorithm['parse_body_into_request'],
 
-    security.only_allow_certain_methods,
     utils.use_tildes_for_participants,
     algorithm['redirect_to_base_url'],
     i18n.set_up_i18n,
     authentication.start_user_as_anon,
     authentication.authenticate_user_if_possible,
+    security.only_allow_certain_methods,
     csrf.extract_token_from_cookie,
     csrf.reject_forgeries,
 

diff --git a/tests/py/test_security.py b/tests/py/test_security.py
@@ -35,6 +35,9 @@ def test_oacm_disallows_a_bunch_of_other_stuff(self):
     def test_oacm_doesnt_choke_error_handling(self):
         assert self.client.hit("OPTIONS", "/", raise_immediately=False).code == 405
 
+    def test_oacm_prevents_csrf_from_choking(self):
+        assert self.client.PxST('/assets/gratipay.css').code == 405
+
 
     # ahtr - add_headers_to_response
 

diff --git a/tests/py/test_security_csrf.py b/tests/py/test_security_csrf.py
@@ -47,7 +47,3 @@ def test_csrf_cookie_set_for_most_requests(self):
     def test_no_csrf_cookie_set_for_assets(self):
         r = self.client.GET('/assets/gratipay.css')
         assert b'csrf_token' not in r.headers.cookie
-
-    def test_that_missing_csrf_on_assets_doesnt_result_in_a_500(self):
-        r = self.client.PxST('/assets/gratipay.css')
-        assert r.code == 405