def test_process_request_session_and_token(self):
"""
Check that if a session is present and a token, the middleware lets it through
"""
req = self._get_POST_session_request_with_token()
req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
self.assertEquals(None, req2)
def test_process_request_session_no_token(self):
"""
Check that if a session is present but no token, we get a 'forbidden'
"""
req = self._get_POST_session_request()
req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
self.assertEquals(HttpResponseForbidden, req2.__class__)
def test_ajax_exemption(self):
"""
Check that AJAX requests are automatically exempted.
"""
req = self._get_POST_session_request()
req.META['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
self.assertEquals(None, req2)
def test_process_request_session_no_token_exempt_view(self):
"""
Check that if a session is present and no token, but the csrf_exempt
decorator has been applied to the view, the middleware lets it through
"""
req = self._get_POST_session_request()
req2 = CsrfMiddleware().process_view(req, csrf_exempt(self.get_view()), (), {})
self.assertEquals(None, req2)
def test_process_request_no_session(self):
"""
Check that if no session is present, the middleware does nothing.
to the incoming request.
"""
req = self._get_POST_no_session_request()
req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
self.assertEquals(None, req2)
def test_csrf_token_in_header(self):
"""
Check that we can pass in the token in a header instead of in the form
"""
req = self._get_POST_session_request()
req.META['HTTP_X_CSRFTOKEN'] = _make_token(self._session_id)
req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {})
self.assertEquals(None, req2)
def test_process_response_exempt_view(self):
"""
Check that no post processing is done for an exempt view
"""
req = self._get_POST_session_request()
resp = csrf_exempt(self.get_view())(req)
resp_content = resp.content
resp2 = CsrfMiddleware().process_response(req, resp)
self.assertEquals(resp_content, resp2.content)
def test_process_response_no_session(self):
"""
Check the post-processor does nothing if no session active
"""
req = self._get_GET_no_session_request()
resp = self._get_post_form_response()
resp_content = resp.content # needed because process_response modifies resp
resp2 = CsrfMiddleware().process_response(req, resp)
self.assertEquals(resp_content, resp2.content)
def test_process_response_new_session(self):
"""
Check that the token is inserted if there is a new session being started
"""
req = self._get_GET_no_session_request() # no session in request
resp = self._get_new_session_response() # but new session started
resp_content = resp.content # needed because process_response modifies resp
resp2 = CsrfMiddleware().process_response(req, resp)
self.assertNotEqual(resp_content, resp2.content)
self._check_token_present(resp2)
def test_process_response_existing_session(self):
"""
Check that the token is inserted if there is an existing session
"""
req = self._get_GET_session_request()
resp = self._get_post_form_response()
resp_content = resp.content # needed because process_response modifies resp
resp2 = CsrfMiddleware().process_response(req, resp)
self.assertNotEqual(resp_content, resp2.content)
self._check_token_present(resp2)