def test_csrf_token(self):
profile = UserProfile(description='Profile for new user',
url='http://www.yahoo.com',
user=User.objects.get(username='******'))
profile.save()
self.client.login(username='******', password='******')
url = profile.moderated_object.get_admin_moderate_url()
if django_version == '1.1':
from django.contrib.csrf.middleware import _make_token
csrf_token = _make_token(self.client.session.session_key)
post_data = {'approve': 'Approve',
'csrfmiddlewaretoken': csrf_token}
else:
post_data = {'approve': 'Approve'}
response = self.client.post(url, post_data)
self.assertEqual(response.status_code, 302)
profile = UserProfile.objects.get(pk=profile.pk)
self.assertEqual(profile.moderated_object.moderation_status,
MODERATION_STATUS_APPROVED)
def csrf_token(request):
try:
session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
except KeyError:
return {}
csrf_token = _make_token(session_id)
return {'csrf_token' : csrf_token}
def test_csrf_token(self):
profile = UserProfile(description='Profile for new user',
url='http://www.yahoo.com',
user=User.objects.get(username='******'))
profile.save()
self.client.login(username='******', password='******')
url = profile.moderated_object.get_admin_moderate_url()
if django_version == '1.1':
from django.contrib.csrf.middleware import _make_token
csrf_token = _make_token(self.client.session.session_key)
post_data = {
'approve': 'Approve',
'csrfmiddlewaretoken': csrf_token
}
else:
post_data = {'approve': 'Approve'}
response = self.client.post(url, post_data)
self.assertEqual(response.status_code, 302)
profile = UserProfile.objects.get(pk=profile.pk)
self.assertEqual(profile.moderated_object.moderation_status,
MODERATION_STATUS_APPROVED)
def csrf(request):
csrf_token = None
try:
session_id = request.COOKIES[django_settings.SESSION_COOKIE_NAME]
csrf_token = middleware._make_token(session_id)
except KeyError:
pass
return {"csrf_token":csrf_token}
def test_csrf_token_in_header(self):
"""
Check that we can pass in the token in a header instead of in the form
"""
req = self._get_POST_session_request()
req.META["HTTP_X_CSRFTOKEN"] = _make_token(self._session_id)
req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
self.assertEquals(None, req2)
def test_csrf_token_in_header(self):
"""
Check that we can pass in the token in a header instead of in the form
"""
req = self._get_POST_session_request()
req.META['HTTP_X_CSRFTOKEN'] = _make_token(self._session_id)
req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
self.assertEquals(None, req2)
def post(self, path, data={}, content_type=MULTIPART_CONTENT, **extra):
"""
Overridden method to add csrf token to the **extra dictionary if
desired.
"""
if self.add_csrf_tokens_to_posts and hasattr(self.session, 'session_key'):
data['csrfmiddlewaretoken'] = _make_token(self.session.session_key)
return Client.post(self, path, data, content_type, **extra)
def get_post_token_value(request):
from django.contrib.csrf.middleware import _make_token
from flowgram.core import log
try:
session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]
except KeyError:
log.critical("get_post_token found no sessionid for authenticated user %s" % request.user)
return error_response.create(get(request, 'enc', 'json'), 'Session cookie required')
return _make_token(session_id)
def process_request(self, request):
if request.method == 'POST' and request.POST.get('csrfmiddlewaretoken', None):
retval = super(CsrfMiddleware, self).process_request(request)
## Forbidden can come from not having the key in POST and also
## from a bad value.
if isinstance(retval, HttpResponseForbidden):
# See if we compare to the horrible default value
insecure_crap_token = csrf_middleware._make_token('')
if request.POST['csrfmiddlewaretoken'] == insecure_crap_token:
return None
return retval
def _check_token_present(self, response):
self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % _make_token(self._session_id))
def _get_POST_session_request_with_token(self):
req = self._get_POST_session_request()
req.POST['csrfmiddlewaretoken'] = _make_token(self._session_id)
return req
def do_csrf(request):
if request.COOKIES.has_key(settings.SESSION_COOKIE_NAME):
return _make_token(request.COOKIES[settings.SESSION_COOKIE_NAME])
