1
0
mirror of https://github.com/django/django.git synced 2024-12-25 10:35:48 +00:00

Removed Django 1.2 compatibility fallback for form wizard hash

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15951 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2011-03-30 17:34:49 +00:00
parent 25aaa359a2
commit fa4bbfcbfb
3 changed files with 3 additions and 60 deletions

View File

@ -249,14 +249,6 @@ class WizardClass(wizard.FormWizard):
return http.HttpResponse(success_string) return http.HttpResponse(success_string)
class UserSecuredWizardClass(WizardClass):
"""
Wizard with a custum security_hash method
"""
def security_hash(self, request, form):
return "123"
class DummyRequest(http.HttpRequest): class DummyRequest(http.HttpRequest):
def __init__(self, POST=None): def __init__(self, POST=None):
@ -310,36 +302,7 @@ class WizardTests(TestCase):
"wizard_step": "1"}) "wizard_step": "1"})
self.assertEqual(0, response.context['step0']) self.assertEqual(0, response.context['step0'])
def test_good_hash_django12(self): def test_good_hash(self):
"""
Form should advance if the hash is present and good, as calculated using
django 1.2 method.
"""
# We are hard-coding a hash value here, but that is OK, since we want to
# ensure that we don't accidentally change the algorithm.
data = {"0-field": "test",
"1-field": "test2",
"hash_0": "2fdbefd4c0cad51509478fbacddf8b13",
"wizard_step": "1"}
response = self.client.post('/wizard/', data)
self.assertEqual(2, response.context['step0'])
def test_good_hash_django12_subclass(self):
"""
The Django 1.2 method of calulating hashes should *not* be used as a
fallback if the FormWizard subclass has provided their own method
of calculating a hash.
"""
# We are hard-coding a hash value here, but that is OK, since we want to
# ensure that we don't accidentally change the algorithm.
data = {"0-field": "test",
"1-field": "test2",
"hash_0": "2fdbefd4c0cad51509478fbacddf8b13",
"wizard_step": "1"}
response = self.client.post('/wizard2/', data)
self.assertEqual(0, response.context['step0'])
def test_good_hash_current(self):
""" """
Form should advance if the hash is present and good, as calculated using Form should advance if the hash is present and good, as calculated using
current method. current method.

View File

@ -11,7 +11,4 @@ urlpatterns = patterns('',
(r'^wizard/$', WizardClass([WizardPageOneForm, (r'^wizard/$', WizardClass([WizardPageOneForm,
WizardPageTwoForm, WizardPageTwoForm,
WizardPageThreeForm])), WizardPageThreeForm])),
(r'^wizard2/$', UserSecuredWizardClass([WizardPageOneForm,
WizardPageTwoForm,
WizardPageThreeForm]))
) )

View File

@ -11,7 +11,7 @@ except ImportError:
from django import forms from django import forms
from django.conf import settings from django.conf import settings
from django.contrib.formtools.utils import security_hash, form_hmac from django.contrib.formtools.utils import form_hmac
from django.http import Http404 from django.http import Http404
from django.shortcuts import render_to_response from django.shortcuts import render_to_response
from django.template.context import RequestContext from django.template.context import RequestContext
@ -58,24 +58,7 @@ class FormWizard(object):
def _check_security_hash(self, token, request, form): def _check_security_hash(self, token, request, form):
expected = self.security_hash(request, form) expected = self.security_hash(request, form)
if constant_time_compare(token, expected): return constant_time_compare(token, expected)
return True
else:
# Fall back to Django 1.2 method, for compatibility with forms that
# are in the middle of being used when the upgrade occurs. However,
# we don't want to do this fallback if a subclass has provided their
# own security_hash method - because they might have implemented a
# more secure method, and this would punch a hole in that.
# PendingDeprecationWarning <- left here to remind us that this
# compatibility fallback should be removed in Django 1.5
FormWizard_expected = FormWizard.security_hash(self, request, form)
if expected == FormWizard_expected:
# They didn't override security_hash, do the fallback:
old_expected = security_hash(request, form)
return constant_time_compare(token, old_expected)
else:
return False
@method_decorator(csrf_protect) @method_decorator(csrf_protect)
def __call__(self, request, *args, **kwargs): def __call__(self, request, *args, **kwargs):