Ticket #13716: 13716.diff

File 13716.diff, 3.3 KB (added by Luke Plant, 14 years ago)

patch with tests

  • django/middleware/csrf.py

     
    6262    tag.
    6363    """
    6464    def process_view(self, request, callback, callback_args, callback_kwargs):
    65         if getattr(callback, 'csrf_exempt', False):
    66             return None
    67 
    6865        if getattr(request, 'csrf_processing_done', False):
    6966            return None
    7067
     
    9087            # place of a CSRF cookie for this request only.
    9188            cookie_is_new = True
    9289
     90        # Wait until request.META["CSRF_COOKIE"] has been manipulated before
     91        # bailing out, so that get_token still works
     92        if getattr(callback, 'csrf_exempt', False):
     93            return None
     94
    9395        if request.method == 'POST':
    9496            if getattr(request, '_dont_enforce_csrf_checks', False):
    9597                # Mechanism to turn off CSRF checks for test suite.  It comes after

  • tests/regressiontests/csrf_tests/tests.py

     
    33from django.test import TestCase
    44from django.http import HttpRequest, HttpResponse
    55from django.middleware.csrf import CsrfMiddleware, CsrfViewMiddleware
    6 from django.views.decorators.csrf import csrf_exempt
     6from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt
    77from django.core.context_processors import csrf
    88from django.contrib.sessions.middleware import SessionMiddleware
    99from django.utils.importlib import import_module
     
    123123        # Check the Vary header got patched correctly
    124124        self.assert_('Cookie' in resp2.get('Vary',''))
    125125
     126    def test_process_response_view_exempt(self):
     127        """
     128        Check that a view decorated with 'csrf_view_exempt' is still
     129        post-processed to add the CSRF token.
     130        """
     131        req = self._get_GET_no_csrf_cookie_request()
     132        CsrfMiddleware().process_view(req, csrf_view_exempt(post_form_view), (), {})
     133
     134        resp = post_form_response()
     135        resp_content = resp.content # needed because process_response modifies resp
     136        resp2 = CsrfMiddleware().process_response(req, resp)
     137
     138        csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
     139        self.assertNotEqual(csrf_cookie, False)
     140        self.assertNotEqual(resp_content, resp2.content)
     141        self._check_token_present(resp2, csrf_cookie.value)
     142
    126143    def test_process_response_no_csrf_cookie_view_only_get_token_used(self):
    127144        """
    128145        When no prior CSRF cookie exists, check that the cookie is created, even
     
    279296        resp = token_view(req)
    280297        self._check_token_present(resp)
    281298
     299    def test_get_token_for_exempt_view(self):
     300        """
     301        Check that get_token still works for a view decorated with 'csrf_view_exempt'.
     302        """
     303        req = self._get_GET_csrf_cookie_request()
     304        CsrfViewMiddleware().process_view(req, csrf_view_exempt(token_view), (), {})
     305        resp = token_view(req)
     306        self._check_token_present(resp)
     307
    282308    def test_token_node_with_new_csrf_cookie(self):
    283309        """
    284310        Check that CsrfTokenNode works when a CSRF cookie is created by
Back to Top