def check_sites_middleware(app_configs, **kwargs):
if SITE_PERMISSION_MIDDLEWARE not in get_middleware_setting():
return [Warning(SITE_PERMISSION_MIDDLEWARE +
" missing from settings.MIDDLEWARE - per site"
" permissions not applied",
id="mezzanine.core.W04")]
return []
def check_sites_middleware(app_configs, **kwargs):
if SITE_PERMISSION_MIDDLEWARE not in get_middleware_setting():
return [
Warning(SITE_PERMISSION_MIDDLEWARE +
" missing from settings.MIDDLEWARE - per site"
" permissions not applied",
id="mezzanine.core.W04")
]
return []
def has_site_permission(user):
"""
Checks if a staff user has staff-level access for the current site.
The actual permission lookup occurs in ``SitePermissionMiddleware``
which then marks the request with the ``has_site_permission`` flag,
so that we only query the db once per request, so this function
serves as the entry point for everything else to check access. We
also fall back to an ``is_staff`` check if the middleware is not
installed, to ease migration.
"""
if SITE_PERMISSION_MIDDLEWARE not in get_middleware_setting():
return user.is_staff and user.is_active
return getattr(user, "has_site_permission", False)
def has_site_permission(user):
"""
Checks if a staff user has staff-level access for the current site.
The actual permission lookup occurs in ``SitePermissionMiddleware``
which then marks the request with the ``has_site_permission`` flag,
so that we only query the db once per request, so this function
serves as the entry point for everything else to check access. We
also fall back to an ``is_staff`` check if the middleware is not
installed, to ease migration.
"""
if SITE_PERMISSION_MIDDLEWARE not in get_middleware_setting():
return user.is_staff and user.is_active
return getattr(user, "has_site_permission", False)
def process_request(self, request):
if (cache_installed() and request.method == "GET"
and not is_authenticated(request.user)):
cache_key = cache_key_prefix(request) + request.get_full_path()
response = cache_get(cache_key)
# We need to force a csrf token here, as new sessions
# won't receieve one on their first request, with cache
# middleware running.
csrf_mw_name = "django.middleware.csrf.CsrfViewMiddleware"
if csrf_mw_name in get_middleware_setting():
csrf_mw = CsrfViewMiddleware()
csrf_mw.process_view(request, lambda x: None, None, None)
get_token(request)
if response is None:
request._update_cache = True
else:
return HttpResponse(response)
def has_site_permission(user):
"""
Checks if a staff user has staff-level access for the current site.
The actual permission lookup occurs in ``SitePermissionMiddleware``
which then marks the request with the ``has_site_permission`` flag,
so that we only query the db once per request, so this function
serves as the entry point for everything else to check access. We
also fall back to an ``is_staff`` check if the middleware is not
installed, to ease migration.
"""
mw = "mezzanine.core.middleware.SitePermissionMiddleware"
if mw not in get_middleware_setting():
from warnings import warn
warn(mw + " missing from settings.MIDDLEWARE - per site"
"permissions not applied")
return user.is_staff and user.is_active
return getattr(user, "has_site_permission", False)
def has_site_permission(user):
"""
Checks if a staff user has staff-level access for the current site.
The actual permission lookup occurs in ``SitePermissionMiddleware``
which then marks the request with the ``has_site_permission`` flag,
so that we only query the db once per request, so this function
serves as the entry point for everything else to check access. We
also fall back to an ``is_staff`` check if the middleware is not
installed, to ease migration.
"""
mw = "mezzanine.core.middleware.SitePermissionMiddleware"
if mw not in get_middleware_setting():
from warnings import warn
warn(mw + " missing from settings.MIDDLEWARE - per site"
"permissions not applied")
return user.is_staff and user.is_active
return getattr(user, "has_site_permission", False)
def process_request(self, request):
if (cache_installed() and request.method == "GET" and
not is_authenticated(request.user)):
cache_key = cache_key_prefix(request) + request.get_full_path()
response = cache_get(cache_key)
# We need to force a csrf token here, as new sessions
# won't receieve one on their first request, with cache
# middleware running.
csrf_mw_name = "django.middleware.csrf.CsrfViewMiddleware"
if csrf_mw_name in get_middleware_setting():
csrf_mw = CsrfViewMiddleware()
csrf_mw.process_view(request, lambda x: None, None, None)
get_token(request)
if response is None:
request._update_cache = True
else:
return HttpResponse(response)
class CSRFTestCase(TestCase):
@classmethod
def tearDownClass(cls):
# Initialize nevercache again now that @override_settings is finished
cache_installed.cache_clear()
initialize_nevercache()
@override_settings(
**{
"ROOT_URLCONF":
CSRFTestViews,
"CACHES": {
'default': {
'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
}
},
get_middleware_setting_name():
('mezzanine.core.middleware.UpdateCacheMiddleware', ) +
get_middleware_setting() +
('mezzanine.core.middleware.FetchFromCacheMiddleware', ),
"TESTING":
False
})
def test_csrf_cookie_with_nevercache(self):
"""
Test that the CSRF cookie is properly set when using nevercache.
"""
# Clear the cached value for cache_installed and initialize nevercache
cache_installed.cache_clear()
initialize_nevercache()
# Test uses an authenticated user as the middleware behavior differs
self.client.login(username=self._username, password=self._password)
response = self.client.get("/nevercache_view/")
# CSRF token is expected to be rendered
self.assertEqual(response.status_code, 200)
self.assertContains(response, "csrfmiddlewaretoken")
# The CSRF cookie should be present
csrf_cookie = response.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.assertNotEqual(csrf_cookie, False)
def cache_installed():
"""
Returns ``True`` if a cache backend is configured, and the
cache middleware classes or subclasses thereof are present.
This will be evaluated once per run, and then cached.
"""
has_key = bool(getattr(settings, "NEVERCACHE_KEY", ""))
def flatten(seqs):
return (item for seq in seqs for item in seq)
middleware_classes = map(import_string, get_middleware_setting())
middleware_ancestors = set(flatten(map(getmro, middleware_classes)))
mezzanine_cache_middleware_classes = {
import_string("mezzanine.core.middleware.UpdateCacheMiddleware"),
import_string("mezzanine.core.middleware.FetchFromCacheMiddleware"),
}
return (has_key and settings.CACHES and not settings.TESTING and
mezzanine_cache_middleware_classes.issubset(middleware_ancestors))
def installed(cls):
"""
Used in ``mezzanine.pages.views.page`` to ensure
``PageMiddleware`` or a subclass has been installed. We cache
the result on the ``PageMiddleware._installed`` to only run
this once. Short path is to just check for the dotted path to
``PageMiddleware`` in ``MIDDLEWARE_CLASSES`` - if not found,
we need to load each middleware class to match a subclass.
"""
try:
return cls._installed
except AttributeError:
name = "mezzanine.pages.middleware.PageMiddleware"
mw_setting = get_middleware_setting()
installed = name in mw_setting
if not installed:
for name in mw_setting:
if issubclass(import_dotted_path(name), cls):
installed = True
break
setattr(cls, "_installed", installed)
return installed
def middlewares_or_subclasses_installed(needed_middlewares):
"""
When passed an iterable of dotted strings, returns True if all
of the middlewares (or their subclasses) are installed.
"""
middleware_setting = set(get_middleware_setting())
# Shortcut case, check by string
if all(m in middleware_setting for m in needed_middlewares):
return True
def flatten(seqs):
return (item for seq in seqs for item in seq)
middleware_items = map(import_string, middleware_setting)
middleware_classes = filter(lambda m: isinstance(m, six.class_types),
middleware_items)
middleware_ancestors = set(flatten(map(getmro, middleware_classes)))
needed_middlewares = set(map(import_string, needed_middlewares))
return needed_middlewares.issubset(middleware_ancestors)
def installed(cls):
"""
Used in ``mezzanine.pages.views.page`` to ensure
``PageMiddleware`` or a subclass has been installed. We cache
the result on the ``PageMiddleware._installed`` to only run
this once. Short path is to just check for the dotted path to
``PageMiddleware`` in ``MIDDLEWARE_CLASSES`` - if not found,
we need to load each middleware class to match a subclass.
"""
try:
return cls._installed
except AttributeError:
name = "mezzanine.pages.middleware.PageMiddleware"
mw_setting = get_middleware_setting()
installed = name in mw_setting
if not installed:
for name in mw_setting:
if issubclass(import_dotted_path(name), cls):
installed = True
break
setattr(cls, "_installed", installed)
return installed
def process_response(self, request, response):
# Caching is only applicable for text-based, non-streaming
# responses. We also skip it for non-200 statuses during
# development, so that stack traces are correctly rendered.
is_text = response.get("content-type", "").startswith("text")
valid_status = response.status_code == 200
streaming = getattr(response, "streaming", False)
if not is_text or streaming or (settings.DEBUG and not valid_status):
return response
# Cache the response if all the required conditions are met.
# Response must be marked for updating by the
# ``FetchFromCacheMiddleware`` having a cache get miss, the
# user must not be authenticated, the HTTP status must be OK
# and the response mustn't include an expiry age, indicating it
# shouldn't be cached.
marked_for_update = getattr(request, "_update_cache", False)
anon = hasattr(request, "user") and not is_authenticated(request.user)
timeout = get_max_age(response)
if timeout is None:
timeout = settings.CACHE_MIDDLEWARE_SECONDS
if anon and valid_status and marked_for_update and timeout:
cache_key = cache_key_prefix(request) + request.get_full_path()
_cache_set = lambda r: cache_set(cache_key, r.content, timeout)
if callable(getattr(response, "render", None)):
response.add_post_render_callback(_cache_set)
else:
_cache_set(response)
# Second phase rendering for non-cached template code and
# content. Split on the delimiter the ``nevercache`` tag
# wrapped its contents in, and render only the content
# enclosed by it, to avoid possible template code injection.
token = nevercache_token()
try:
token = token.encode('utf-8')
except AttributeError:
pass
parts = response.content.split(token)
# Restore csrf token from cookie - check the response
# first as it may be being set for the first time.
csrf_token = None
try:
csrf_token = response.cookies[settings.CSRF_COOKIE_NAME].value
except KeyError:
try:
csrf_token = request.COOKIES[settings.CSRF_COOKIE_NAME]
except KeyError:
pass
if csrf_token:
request.META["CSRF_COOKIE"] = csrf_token
context = RequestContext(request)
for i, part in enumerate(parts):
if i % 2:
part = Template(part).render(context).encode("utf-8")
parts[i] = part
response.content = b"".join(parts)
response["Content-Length"] = len(response.content)
if hasattr(request, '_messages'):
# Required to clear out user messages.
request._messages.update(response)
# Response needs to be run-through the CSRF middleware again so
# that if there was a {% csrf_token %} inside of the nevercache
# the cookie will be correctly set for the the response
csrf_mw_name = "django.middleware.csrf.CsrfViewMiddleware"
if csrf_mw_name in get_middleware_setting():
response.csrf_processing_done = False
csrf_mw = CsrfViewMiddleware()
csrf_mw.process_response(request, response)
return response
def process_response(self, request, response):
# Caching is only applicable for text-based, non-streaming
# responses. We also skip it for non-200 statuses during
# development, so that stack traces are correctly rendered.
is_text = response.get("content-type", "").startswith("text")
valid_status = response.status_code == 200
streaming = getattr(response, "streaming", False)
if not is_text or streaming or (settings.DEBUG and not valid_status):
return response
# Cache the response if all the required conditions are met.
# Response must be marked for updating by the
# ``FetchFromCacheMiddleware`` having a cache get miss, the
# user must not be authenticated, the HTTP status must be OK
# and the response mustn't include an expiry age, indicating it
# shouldn't be cached.
marked_for_update = getattr(request, "_update_cache", False)
anon = hasattr(request, "user") and not is_authenticated(request.user)
timeout = get_max_age(response)
if timeout is None:
timeout = settings.CACHE_MIDDLEWARE_SECONDS
if anon and valid_status and marked_for_update and timeout:
cache_key = cache_key_prefix(request) + request.get_full_path()
_cache_set = lambda r: cache_set(cache_key, r.content, timeout)
if callable(getattr(response, "render", None)):
response.add_post_render_callback(_cache_set)
else:
_cache_set(response)
# Second phase rendering for non-cached template code and
# content. Split on the delimiter the ``nevercache`` tag
# wrapped its contents in, and render only the content
# enclosed by it, to avoid possible template code injection.
token = nevercache_token()
try:
token = token.encode('utf-8')
except AttributeError:
pass
parts = response.content.split(token)
# Restore csrf token from cookie - check the response
# first as it may be being set for the first time.
csrf_token = None
try:
csrf_token = response.cookies[settings.CSRF_COOKIE_NAME].value
except KeyError:
try:
csrf_token = request.COOKIES[settings.CSRF_COOKIE_NAME]
except KeyError:
pass
if csrf_token:
request.META["CSRF_COOKIE"] = csrf_token
context = RequestContext(request)
for i, part in enumerate(parts):
if i % 2:
part = Template(part).render(context).encode("utf-8")
parts[i] = part
response.content = b"".join(parts)
response["Content-Length"] = len(response.content)
if hasattr(request, '_messages'):
# Required to clear out user messages.
request._messages.update(response)
# Response needs to be run-through the CSRF middleware again so
# that if there was a {% csrf_token %} inside of the nevercache
# the cookie will be correctly set for the the response
csrf_mw_name = "django.middleware.csrf.CsrfViewMiddleware"
if csrf_mw_name in get_middleware_setting():
response.csrf_processing_done = False
csrf_mw = CsrfViewMiddleware()
csrf_mw.process_response(request, response)
return response
