def get_or_create_csrf_token(request):
token = request.META.get('CSRF_COOKIE', None)
if token is None:
token = csrf._get_new_csrf_string()
request.META['CSRF_COOKIE'] = token
request.META['CSRF_COOKIE_USED'] = True
return token
def test_csrf_validation_passes_after_process_request_login(self):
"""
CSRF check must access the CSRF token from the session or cookie,
rather than the request, as rotate_token() may have been called by an
authentication middleware during the process_request() phase.
"""
csrf_client = Client(enforce_csrf_checks=True)
csrf_secret = _get_new_csrf_string()
csrf_token = _mask_cipher_secret(csrf_secret)
csrf_token_form = _mask_cipher_secret(csrf_secret)
headers = {self.header: 'fakeuser'}
data = {'csrfmiddlewaretoken': csrf_token_form}
# Verify that CSRF is configured for the view
csrf_client.cookies.load({settings.CSRF_COOKIE_NAME: csrf_token})
response = csrf_client.post('/remote_user/', **headers)
self.assertEqual(response.status_code, 403)
self.assertIn(b'CSRF verification failed.', response.content)
# This request will call django.contrib.auth.login() which will call
# django.middleware.csrf.rotate_token() thus changing the value of
# request.META['CSRF_COOKIE'] from the user submitted value set by
# CsrfViewMiddleware.process_request() to the new csrftoken value set
# by rotate_token(). Csrf validation should still pass when the view is
# later processed by CsrfViewMiddleware.process_view()
csrf_client.cookies.load({settings.CSRF_COOKIE_NAME: csrf_token})
response = csrf_client.post('/remote_user/', data, **headers)
self.assertEqual(response.status_code, 200)
def test_disable_csrf():
form = SampleForm()
helper = FormHelper()
helper.disable_csrf = True
html = render_crispy_form(form, helper,
{"csrf_token": _get_new_csrf_string()})
assert "csrf" not in html
def test_formset_layout(settings):
SampleFormSet = formset_factory(SampleForm, extra=3)
formset = SampleFormSet()
helper = FormHelper()
helper.form_id = 'thisFormsetRocks'
helper.form_class = 'formsets-that-rock'
helper.form_method = 'POST'
helper.form_action = 'simpleAction'
helper.layout = Layout(
Fieldset(
"Item {{ forloop.counter }}",
'is_company',
'email',
), HTML("{% if forloop.first %}Note for first form only{% endif %}"),
Row('password1', 'password2'), Fieldset("", 'first_name', 'last_name'))
html = render_crispy_form(form=formset,
helper=helper,
context={'csrf_token': _get_new_csrf_string()})
# Check formset fields
assert contains_partial(
html,
'<input id="id_form-TOTAL_FORMS" name="form-TOTAL_FORMS" type="hidden" value="3"/>'
)
assert contains_partial(
html,
'<input id="id_form-INITIAL_FORMS" name="form-INITIAL_FORMS" type="hidden" value="0"/>'
)
assert contains_partial(
html,
'<input id="id_form-MAX_NUM_FORMS" name="form-MAX_NUM_FORMS" type="hidden" value="1000"/>'
)
assert contains_partial(
html,
'<input id="id_form-MIN_NUM_FORMS" name="form-MIN_NUM_FORMS" type="hidden" value="0"/>'
)
assert html.count("hidden") == 5
# Check form structure
assert html.count('<form') == 1
assert html.count('csrfmiddlewaretoken') == 1
assert 'formsets-that-rock' in html
assert 'method="post"' in html
assert 'id="thisFormsetRocks"' in html
assert 'action="%s"' % reverse('simpleAction') in html
# Check form layout
assert 'Item 1' in html
assert 'Item 2' in html
assert 'Item 3' in html
assert html.count('Note for first form only') == 1
if settings.CRISPY_TEMPLATE_PACK == 'uni_form':
assert html.count('formRow') == 3
elif settings.CRISPY_TEMPLATE_PACK in ('bootstrap3', 'bootstrap4'):
assert html.count('row') == 3
if settings.CRISPY_TEMPLATE_PACK == 'bootstrap4':
assert html.count('form-group') == 18
def renew_csrf(window_info):
if not window_info.csrf_cookie:
csrf_secret = _get_new_csrf_string()
window_info.csrf_cookie = _salt_cipher_secret(csrf_secret)
else:
csrf_secret = _unsalt_cipher_token(window_info.csrf_cookie)
value = _salt_cipher_secret(csrf_secret)
scall(window_info, "df.validate.update_csrf", to=[WINDOW], value=value)
def renew_csrf(window_info):
if not window_info.csrf_cookie:
csrf_secret = _get_new_csrf_string()
window_info.csrf_cookie = _salt_cipher_secret(csrf_secret)
else:
csrf_secret = _unsalt_cipher_token(window_info.csrf_cookie)
value = _salt_cipher_secret(csrf_secret)
scall(window_info, "df.validate.update_csrf", to=[WINDOW], value=value)
def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
user = serializer.validated_data['user']
token, created = Token.objects.get_or_create(user=user)
auth_login(request, user)
response = Response({'token': token.key})
csrf_token = _get_new_csrf_string()
response.set_cookie('csrftoken', csrf_token)
return response
def test_formset_layout(settings):
SampleFormSet = formset_factory(SampleForm, extra=3)
formset = SampleFormSet()
helper = FormHelper()
helper.form_id = "thisFormsetRocks"
helper.form_class = "formsets-that-rock"
helper.form_method = "POST"
helper.form_action = "simpleAction"
helper.layout = Layout(
Fieldset(
"Item {{ forloop.counter }}",
"is_company",
"email",
),
HTML("{% if forloop.first %}Note for first form only{% endif %}"),
Row("password1", "password2"),
Fieldset("", "first_name", "last_name"),
)
html = render_crispy_form(form=formset, helper=helper, context={"csrf_token": _get_new_csrf_string()})
# Check formset fields
assert contains_partial(html, '<input id="id_form-TOTAL_FORMS" name="form-TOTAL_FORMS" type="hidden" value="3"/>')
assert contains_partial(
html, '<input id="id_form-INITIAL_FORMS" name="form-INITIAL_FORMS" type="hidden" value="0"/>'
)
assert contains_partial(
html, '<input id="id_form-MAX_NUM_FORMS" name="form-MAX_NUM_FORMS" type="hidden" value="1000"/>'
)
assert contains_partial(
html, '<input id="id_form-MIN_NUM_FORMS" name="form-MIN_NUM_FORMS" type="hidden" value="0"/>'
)
assert html.count("hidden") == 5
# Check form structure
assert html.count("<form") == 1
assert html.count("csrfmiddlewaretoken") == 1
assert "formsets-that-rock" in html
assert 'method="post"' in html
assert 'id="thisFormsetRocks"' in html
assert 'action="%s"' % reverse("simpleAction") in html
# Check form layout
assert "Item 1" in html
assert "Item 2" in html
assert "Item 3" in html
assert html.count("Note for first form only") == 1
if settings.CRISPY_TEMPLATE_PACK == "uni_form":
assert html.count("formRow") == 3
elif settings.CRISPY_TEMPLATE_PACK in ("bootstrap3", "bootstrap4"):
assert html.count("row") == 3
if settings.CRISPY_TEMPLATE_PACK == "bootstrap4":
assert html.count("form-group") == 18
def test_CSRF_token_GET_form():
form_helper = FormHelper()
form_helper.form_method = "GET"
template = Template("""
{% load crispy_forms_tags %}
{% crispy form form_helper %}
""")
c = Context({
"form": SampleForm(),
"form_helper": form_helper,
"csrf_token": _get_new_csrf_string()
})
html = template.render(c)
assert "csrfmiddlewaretoken" not in html
def test_CSRF_token_GET_form():
form_helper = FormHelper()
form_helper.form_method = 'GET'
template = Template("""
{% load crispy_forms_tags %}
{% crispy form form_helper %}
""")
c = Context({
'form': SampleForm(),
'form_helper': form_helper,
'csrf_token': _get_new_csrf_string()
})
html = template.render(c)
assert 'csrfmiddlewaretoken' not in html
def test_CSRF_token_POST_form():
form_helper = FormHelper()
template = Template("""
{% load crispy_forms_tags %}
{% crispy form form_helper %}
""")
# The middleware only initializes the CSRF token when processing a real request
# So using RequestContext or csrf(request) here does not work.
# Instead I set the key `csrf_token` to a CSRF token manually, which `csrf_token` tag uses
c = Context({
"form": SampleForm(),
"form_helper": form_helper,
"csrf_token": _get_new_csrf_string()
})
html = template.render(c)
assert "csrfmiddlewaretoken" in html
def _build_mock_request(self, user=None, get=None, post=None):
request = MagicMock()
if user:
request.user = user
if django.VERSION[0] == 1:
request.user.is_authenticated.__get__ = MagicMock(
return_value=True)
elif django.VERSION[0] >= 2:
request.user.__dict__['is_authenticated'] = True
else:
request.user = AnonymousUser()
csrf = _salt_cipher_secret(_get_new_csrf_string())
request.GET = {}
request.POST = {}
request.META = {"SCRIPT_NAME": "/"}
request.COOKIES = {settings.CSRF_COOKIE_NAME: csrf}
request.resolver_match.kwargs = {}
if get is not None:
request.GET.update(get)
if post is not None:
request.POST.update(post)
return request
def test_formset_with_helper_without_layout(settings):
template = Template("""
{% load crispy_forms_tags %}
{% crispy testFormSet formset_helper %}
""")
form_helper = FormHelper()
form_helper.form_id = "thisFormsetRocks"
form_helper.form_class = "formsets-that-rock"
form_helper.form_method = "POST"
form_helper.form_action = "simpleAction"
SampleFormSet = formset_factory(SampleForm, extra=3)
testFormSet = SampleFormSet()
c = Context({
"testFormSet": testFormSet,
"formset_helper": form_helper,
"csrf_token": _get_new_csrf_string()
})
html = template.render(c)
assert html.count("<form") == 1
assert html.count("csrfmiddlewaretoken") == 1
# Check formset management form
assert "form-TOTAL_FORMS" in html
assert "form-INITIAL_FORMS" in html
assert "form-MAX_NUM_FORMS" in html
assert "formsets-that-rock" in html
assert 'method="post"' in html
assert 'id="thisFormsetRocks"' in html
assert 'action="%s"' % reverse("simpleAction") in html
if settings.CRISPY_TEMPLATE_PACK == "uni_form":
assert 'class="uniForm' in html
def test_formset_with_helper_without_layout(settings):
template = Template("""
{% load crispy_forms_tags %}
{% crispy testFormSet formset_helper %}
""")
form_helper = FormHelper()
form_helper.form_id = 'thisFormsetRocks'
form_helper.form_class = 'formsets-that-rock'
form_helper.form_method = 'POST'
form_helper.form_action = 'simpleAction'
SampleFormSet = formset_factory(SampleForm, extra=3)
testFormSet = SampleFormSet()
c = Context({
'testFormSet': testFormSet,
'formset_helper': form_helper,
'csrf_token': _get_new_csrf_string()
})
html = template.render(c)
assert html.count('<form') == 1
assert html.count('csrfmiddlewaretoken') == 1
# Check formset management form
assert 'form-TOTAL_FORMS' in html
assert 'form-INITIAL_FORMS' in html
assert 'form-MAX_NUM_FORMS' in html
assert 'formsets-that-rock' in html
assert 'method="post"' in html
assert 'id="thisFormsetRocks"' in html
assert 'action="%s"' % reverse('simpleAction') in html
if settings.CRISPY_TEMPLATE_PACK == 'uni_form':
assert 'class="uniForm' in html
def get(self, request, *args, **kwargs):
response = render(request, 'index.html')
response.set_cookie('csrftoken', _get_new_csrf_string())
return response
def _get_new_csrf_token():
return _mask_cipher_secret(_get_new_csrf_string())