django/tests/csrf_tests/views.py

from django.http import HttpResponse
from django.middleware.csrf import get_token, rotate_token
from django.template import Context, RequestContext, Template
from django.template.context_processors import csrf
from django.utils.decorators import decorator_from_middleware
from django.utils.deprecation import MiddlewareMixin
from django.views.decorators.csrf import csrf_protect, ensure_csrf_cookie


class TestingHttpResponse(HttpResponse):
    """
    A version of HttpResponse that stores what cookie values are passed to
    set_cookie() when CSRF_USE_SESSIONS=False.
    """
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        # This is a list of the cookie values passed to set_cookie() over
        # the course of the request-response.
        self._cookies_set = []

    def set_cookie(self, key, value, **kwargs):
        super().set_cookie(key, value, **kwargs)
        self._cookies_set.append(value)


class _CsrfCookieRotator(MiddlewareMixin):

    def process_response(self, request, response):
        rotate_token(request)
        return response


csrf_rotating_token = decorator_from_middleware(_CsrfCookieRotator)


@csrf_protect
def protected_view(request):
    return HttpResponse('OK')


@ensure_csrf_cookie
def ensure_csrf_cookie_view(request):
    return HttpResponse('OK')


@csrf_protect
@ensure_csrf_cookie
def ensured_and_protected_view(request):
    return TestingHttpResponse('OK')


@csrf_protect
@csrf_rotating_token
@ensure_csrf_cookie
def sandwiched_rotate_token_view(request):
    """
    This is a view that calls rotate_token() in process_response() between two
    calls to CsrfViewMiddleware.process_response().
    """
    return TestingHttpResponse('OK')


def post_form_view(request):
    """Return a POST form (without a token)."""
    return HttpResponse(content="""
<html><body><h1>\u00a1Unicode!<form method="post"><input type="text"></form></body></html>
""")


def token_view(request):
    context = RequestContext(request, processors=[csrf])
    template = Template('{% csrf_token %}')
    return HttpResponse(template.render(context))


def non_token_view_using_request_processor(request):
    """Use the csrf view processor instead of the token."""
    context = RequestContext(request, processors=[csrf])
    template = Template('')
    return HttpResponse(template.render(context))


def csrf_token_error_handler(request, **kwargs):
    """This error handler accesses the CSRF token."""
    template = Template(get_token(request))
    return HttpResponse(template.render(Context()), status=599)
Moved csrf_tests views to a spearate file. 2016-11-30 17:33:00 +00:00			`from django.http import HttpResponse`
Refs #32902 -- Added CSRF test when rotate_token() is called between resetting the token and processing response. 2021-07-04 06:29:52 +00:00			`from django.middleware.csrf import get_token, rotate_token`
Fixed #28488 -- Reallowed error handlers to access CSRF tokens. Regression in eef95ea96faef0b7dbbe0c8092202b74f68a899b. 2017-09-17 20:24:05 +00:00			`from django.template import Context, RequestContext, Template`
Moved csrf_tests views to a spearate file. 2016-11-30 17:33:00 +00:00			`from django.template.context_processors import csrf`
Refs #32902 -- Added CSRF test when rotate_token() is called between resetting the token and processing response. 2021-07-04 06:29:52 +00:00			`from django.utils.decorators import decorator_from_middleware`
			`from django.utils.deprecation import MiddlewareMixin`
			`from django.views.decorators.csrf import csrf_protect, ensure_csrf_cookie`


			`class TestingHttpResponse(HttpResponse):`
			`"""`
			`A version of HttpResponse that stores what cookie values are passed to`
			`set_cookie() when CSRF_USE_SESSIONS=False.`
			`"""`
			`def __init__(self, args, *kwargs):`
			`super().__init__(args, *kwargs)`
			`# This is a list of the cookie values passed to set_cookie() over`
			`# the course of the request-response.`
			`self._cookies_set = []`

			`def set_cookie(self, key, value, **kwargs):`
			`super().set_cookie(key, value, **kwargs)`
			`self._cookies_set.append(value)`


			`class _CsrfCookieRotator(MiddlewareMixin):`

			`def process_response(self, request, response):`
			`rotate_token(request)`
			`return response`


			`csrf_rotating_token = decorator_from_middleware(_CsrfCookieRotator)`


Fixed #32902 -- Fixed CsrfViewMiddleware.process_response()'s cookie reset logic. Thanks Florian Apolloner and Shai Berger for reviews. 2021-07-16 14:54:42 +00:00			`@csrf_protect`
			`def protected_view(request):`
			`return HttpResponse('OK')`


Refs #32902 -- Moved ensure_csrf_cookie_view after protected_view. 2021-07-06 04:03:32 +00:00			`@ensure_csrf_cookie`
			`def ensure_csrf_cookie_view(request):`
			`return HttpResponse('OK')`


Fixed #32902 -- Fixed CsrfViewMiddleware.process_response()'s cookie reset logic. Thanks Florian Apolloner and Shai Berger for reviews. 2021-07-16 14:54:42 +00:00			`@csrf_protect`
			`@ensure_csrf_cookie`
			`def ensured_and_protected_view(request):`
			`return TestingHttpResponse('OK')`


Refs #32902 -- Added CSRF test when rotate_token() is called between resetting the token and processing response. 2021-07-04 06:29:52 +00:00			`@csrf_protect`
			`@csrf_rotating_token`
			`@ensure_csrf_cookie`
			`def sandwiched_rotate_token_view(request):`
			`"""`
			`This is a view that calls rotate_token() in process_response() between two`
			`calls to CsrfViewMiddleware.process_response().`
			`"""`
			`return TestingHttpResponse('OK')`
Moved csrf_tests views to a spearate file. 2016-11-30 17:33:00 +00:00

			`def post_form_view(request):`
			`"""Return a POST form (without a token)."""`
			`return HttpResponse(content="""`
Fixed #29038 -- Removed closing slash from HTML void tags. 2018-01-21 07:09:10 +00:00			`<html><body><h1>\u00a1Unicode!<form method="post"><input type="text"></form></body></html>`
Dropped obsolete mimetype kwarg in csrf test view 2019-09-21 18:44:55 +00:00			`""")`
Moved csrf_tests views to a spearate file. 2016-11-30 17:33:00 +00:00

			`def token_view(request):`
			`context = RequestContext(request, processors=[csrf])`
			`template = Template('{% csrf_token %}')`
			`return HttpResponse(template.render(context))`


			`def non_token_view_using_request_processor(request):`
			`"""Use the csrf view processor instead of the token."""`
			`context = RequestContext(request, processors=[csrf])`
			`template = Template('')`
			`return HttpResponse(template.render(context))`
Fixed #28488 -- Reallowed error handlers to access CSRF tokens. Regression in eef95ea96faef0b7dbbe0c8092202b74f68a899b. 2017-09-17 20:24:05 +00:00

			`def csrf_token_error_handler(request, **kwargs):`
			`"""This error handler accesses the CSRF token."""`
			`template = Template(get_token(request))`
			`return HttpResponse(template.render(Context()), status=599)`