1
0
mirror of https://github.com/django/django.git synced 2025-01-11 02:46:13 +00:00

Fixed #13716 - the CSRF get_token function stopped working for views with csrf_view_exempt

This was a regression caused by the the CSRF changes in 1.2.

Thanks to edevil for the report.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13336 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2010-06-08 14:35:48 +00:00
parent 21a690fcfe
commit ac8b7ff021
2 changed files with 32 additions and 4 deletions

View File

@ -62,9 +62,6 @@ class CsrfViewMiddleware(object):
tag. tag.
""" """
def process_view(self, request, callback, callback_args, callback_kwargs): def process_view(self, request, callback, callback_args, callback_kwargs):
if getattr(callback, 'csrf_exempt', False):
return None
if getattr(request, 'csrf_processing_done', False): if getattr(request, 'csrf_processing_done', False):
return None return None
@ -90,6 +87,11 @@ class CsrfViewMiddleware(object):
# place of a CSRF cookie for this request only. # place of a CSRF cookie for this request only.
cookie_is_new = True cookie_is_new = True
# Wait until request.META["CSRF_COOKIE"] has been manipulated before
# bailing out, so that get_token still works
if getattr(callback, 'csrf_exempt', False):
return None
if request.method == 'POST': if request.method == 'POST':
if getattr(request, '_dont_enforce_csrf_checks', False): if getattr(request, '_dont_enforce_csrf_checks', False):
# Mechanism to turn off CSRF checks for test suite. It comes after # Mechanism to turn off CSRF checks for test suite. It comes after

View File

@ -3,7 +3,7 @@
from django.test import TestCase from django.test import TestCase
from django.http import HttpRequest, HttpResponse from django.http import HttpRequest, HttpResponse
from django.middleware.csrf import CsrfMiddleware, CsrfViewMiddleware from django.middleware.csrf import CsrfMiddleware, CsrfViewMiddleware
from django.views.decorators.csrf import csrf_exempt from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt
from django.core.context_processors import csrf from django.core.context_processors import csrf
from django.contrib.sessions.middleware import SessionMiddleware from django.contrib.sessions.middleware import SessionMiddleware
from django.utils.importlib import import_module from django.utils.importlib import import_module
@ -123,6 +123,23 @@ class CsrfMiddlewareTest(TestCase):
# Check the Vary header got patched correctly # Check the Vary header got patched correctly
self.assert_('Cookie' in resp2.get('Vary','')) self.assert_('Cookie' in resp2.get('Vary',''))
def test_process_response_for_exempt_view(self):
"""
Check that a view decorated with 'csrf_view_exempt' is still
post-processed to add the CSRF token.
"""
req = self._get_GET_no_csrf_cookie_request()
CsrfMiddleware().process_view(req, csrf_view_exempt(post_form_view), (), {})
resp = post_form_response()
resp_content = resp.content # needed because process_response modifies resp
resp2 = CsrfMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.assertNotEqual(csrf_cookie, False)
self.assertNotEqual(resp_content, resp2.content)
self._check_token_present(resp2, csrf_cookie.value)
def test_process_response_no_csrf_cookie_view_only_get_token_used(self): def test_process_response_no_csrf_cookie_view_only_get_token_used(self):
""" """
When no prior CSRF cookie exists, check that the cookie is created, even When no prior CSRF cookie exists, check that the cookie is created, even
@ -279,6 +296,15 @@ class CsrfMiddlewareTest(TestCase):
resp = token_view(req) resp = token_view(req)
self._check_token_present(resp) self._check_token_present(resp)
def test_get_token_for_exempt_view(self):
"""
Check that get_token still works for a view decorated with 'csrf_view_exempt'.
"""
req = self._get_GET_csrf_cookie_request()
CsrfViewMiddleware().process_view(req, csrf_view_exempt(token_view), (), {})
resp = token_view(req)
self._check_token_present(resp)
def test_token_node_with_new_csrf_cookie(self): def test_token_node_with_new_csrf_cookie(self):
""" """
Check that CsrfTokenNode works when a CSRF cookie is created by Check that CsrfTokenNode works when a CSRF cookie is created by