def setUp(self): self.token = 'a' * 32 self.rf = django.test.RequestFactory() self.mw = CsrfMiddleware() self.save_ANON_ALWAYS = session_csrf.ANON_ALWAYS session_csrf.ANON_ALWAYS = False self.save_CSRF_FAILURE_VIEW = settings.CSRF_FAILURE_VIEW settings.CSRF_FAILURE_VIEW = 'django.views.csrf.csrf_failure'
def setUp(self): self.token = 'a' * 32 self.rf = django.test.RequestFactory() self.mw = CsrfMiddleware()
class TestCsrfMiddleware(django.test.TestCase): def setUp(self): self.token = 'a' * 32 self.rf = django.test.RequestFactory() self.mw = CsrfMiddleware() def process_view(self, request, view=None): return self.mw.process_view(request, view, None, None) def test_anon_token_from_cookie(self): rf = django.test.RequestFactory() rf.cookies['anoncsrf'] = self.token cache.set(PREFIX + self.token, 'woo') request = rf.get('/') request.session = {} r = { 'wsgi.input': django.test.client.FakePayload('') } # Hack to set up request middleware. ClientHandler()(self.rf._base_environ(**r)) self.mw.process_request(request) self.assertEqual(request.csrf_token, 'woo') def test_set_csrftoken_once(self): # Make sure process_request only sets request.csrf_token once. request = self.rf.get('/') request.csrf_token = 'woo' self.mw.process_request(request) self.assertEqual(request.csrf_token, 'woo') def test_reject_view(self): # Check that the reject view returns a 403. response = self.process_view(self.rf.post('/')) self.assertEqual(response.status_code, 403) def test_csrf_exempt(self): # Make sure @csrf_exempt still works. view = type("", (), {'csrf_exempt': True})() self.assertEqual(self.process_view(self.rf.post('/'), view), None) def test_safe_whitelist(self): # CSRF should not get checked on these methods. self.assertEqual(self.process_view(self.rf.get('/')), None) self.assertEqual(self.process_view(self.rf.head('/')), None) self.assertEqual(self.process_view(self.rf.options('/')), None) def test_unsafe_methods(self): self.assertEqual(self.process_view(self.rf.post('/')).status_code, 403) self.assertEqual(self.process_view(self.rf.put('/')).status_code, 403) self.assertEqual(self.process_view(self.rf.delete('/')).status_code, 403) def test_csrfmiddlewaretoken(self): # The user token should be found in POST['csrfmiddlewaretoken']. request = self.rf.post('/', {'csrfmiddlewaretoken': self.token}) self.assertEqual(self.process_view(request).status_code, 403) request.csrf_token = self.token self.assertEqual(self.process_view(request), None) def test_x_csrftoken(self): # The user token can be found in the X-CSRFTOKEN header. request = self.rf.post('/', HTTP_X_CSRFTOKEN=self.token) self.assertEqual(self.process_view(request).status_code, 403) request.csrf_token = self.token self.assertEqual(self.process_view(request), None) def test_require_request_token_or_user_token(self): # Blank request and user tokens raise an error on POST. request = self.rf.post('/', HTTP_X_CSRFTOKEN='') request.csrf_token = '' self.assertEqual(self.process_view(request).status_code, 403) def test_token_no_match(self): # A 403 is returned when the tokens don't match. request = self.rf.post('/', HTTP_X_CSRFTOKEN='woo') request.csrf_token = '' self.assertEqual(self.process_view(request).status_code, 403) def test_csrf_token_context_processor(self): # Our CSRF token should be available in the template context. request = mock.Mock() request.csrf_token = self.token request.groups = [] ctx = {} for processor in context.get_standard_processors(): ctx.update(processor(request)) self.assertEqual(ctx['csrf_token'], self.token)
class TestCsrfMiddleware(django.test.TestCase): def setUp(self): self.token = 'a' * 32 self.rf = django.test.RequestFactory() self.mw = CsrfMiddleware() def process_view(self, request, view=None): return self.mw.process_view(request, view, None, None) def test_anon_token_from_cookie(self): rf = django.test.RequestFactory() rf.cookies['anoncsrf'] = self.token cache.set(prep_key(self.token), 'woo') request = rf.get('/') SessionMiddleware().process_request(request) AuthenticationMiddleware().process_request(request) self.mw.process_request(request) self.assertEqual(request.csrf_token, 'woo') def test_set_csrftoken_once(self): # Make sure process_request only sets request.csrf_token once. request = self.rf.get('/') request.csrf_token = 'woo' self.mw.process_request(request) self.assertEqual(request.csrf_token, 'woo') def test_reject_view(self): # Check that the reject view returns a 403. response = self.process_view(self.rf.post('/')) self.assertEqual(response.status_code, 403) def test_csrf_exempt(self): # Make sure @csrf_exempt still works. view = type("", (), {'csrf_exempt': True})() self.assertEqual(self.process_view(self.rf.post('/'), view), None) def test_safe_whitelist(self): # CSRF should not get checked on these methods. self.assertEqual(self.process_view(self.rf.get('/')), None) self.assertEqual(self.process_view(self.rf.head('/')), None) self.assertEqual(self.process_view(self.rf.options('/')), None) def test_unsafe_methods(self): self.assertEqual(self.process_view(self.rf.post('/')).status_code, 403) self.assertEqual(self.process_view(self.rf.put('/')).status_code, 403) self.assertEqual( self.process_view(self.rf.delete('/')).status_code, 403) def test_csrfmiddlewaretoken(self): # The user token should be found in POST['csrfmiddlewaretoken']. request = self.rf.post('/', {'csrfmiddlewaretoken': self.token}) self.assertEqual(self.process_view(request).status_code, 403) request.csrf_token = self.token self.assertEqual(self.process_view(request), None) def test_x_csrftoken(self): # The user token can be found in the X-CSRFTOKEN header. request = self.rf.post('/', HTTP_X_CSRFTOKEN=self.token) self.assertEqual(self.process_view(request).status_code, 403) request.csrf_token = self.token self.assertEqual(self.process_view(request), None) def test_require_request_token_or_user_token(self): # Blank request and user tokens raise an error on POST. request = self.rf.post('/', HTTP_X_CSRFTOKEN='') request.csrf_token = '' self.assertEqual(self.process_view(request).status_code, 403) def test_token_no_match(self): # A 403 is returned when the tokens don't match. request = self.rf.post('/', HTTP_X_CSRFTOKEN='woo') request.csrf_token = '' self.assertEqual(self.process_view(request).status_code, 403) def test_csrf_token_context_processor(self): # Our CSRF token should be available in the template context. request = mock.Mock() request.csrf_token = self.token request.groups = [] ctx = {} for processor in context.get_standard_processors(): ctx.update(processor(request)) self.assertEqual(ctx['csrf_token'], self.token)
class TestCsrfMiddleware(django.test.TestCase): def setUp(self): self.token = 'a' * 32 self.rf = django.test.RequestFactory() self.mw = CsrfMiddleware() def process_view(self, request, view=None): return self.mw.process_view(request, view, None, None) def test_anon_token_from_cookie(self): rf = django.test.RequestFactory() rf.cookies['anoncsrf'] = self.token cache.set(prep_key(self.token), 'woo') request = rf.get('/') SessionMiddleware().process_request(request) AuthenticationMiddleware().process_request(request) self.mw.process_request(request) self.assertEqual(request.csrf_token, 'woo') def test_set_csrftoken_once(self): # Make sure process_request only sets request.csrf_token once. request = self.rf.get('/') request.csrf_token = 'woo' self.mw.process_request(request) self.assertEqual(request.csrf_token, 'woo') def test_reject_view(self): # Check that the reject view returns a 403. response = self.process_view(self.rf.post('/')) self.assertEqual(response.status_code, 403) def test_csrf_exempt(self): # Make sure @csrf_exempt still works. view = type(str(""), (), {'csrf_exempt': True})() self.assertEqual(self.process_view(self.rf.post('/'), view), None) def test_safe_whitelist(self): # CSRF should not get checked on these methods. self.assertEqual(self.process_view(self.rf.get('/')), None) self.assertEqual(self.process_view(self.rf.head('/')), None) self.assertEqual(self.process_view(self.rf.options('/')), None) def test_unsafe_methods(self): self.assertEqual(self.process_view(self.rf.post('/')).status_code, 403) self.assertEqual(self.process_view(self.rf.put('/')).status_code, 403) self.assertEqual(self.process_view(self.rf.delete('/')).status_code, 403) def test_csrfmiddlewaretoken(self): # The user token should be found in POST['csrfmiddlewaretoken']. request = self.rf.post('/', {'csrfmiddlewaretoken': self.token}) self.assertEqual(self.process_view(request).status_code, 403) request.csrf_token = self.token self.assertEqual(self.process_view(request), None) def test_x_csrftoken(self): # The user token can be found in the X-CSRFTOKEN header. request = self.rf.post('/', HTTP_X_CSRFTOKEN=self.token) self.assertEqual(self.process_view(request).status_code, 403) request.csrf_token = self.token self.assertEqual(self.process_view(request), None) def test_require_request_token_or_user_token(self): # Blank request and user tokens raise an error on POST. request = self.rf.post('/', HTTP_X_CSRFTOKEN='') request.csrf_token = '' self.assertEqual(self.process_view(request).status_code, 403) def test_token_no_match(self): # A 403 is returned when the tokens don't match. request = self.rf.post('/', HTTP_X_CSRFTOKEN='woo') request.csrf_token = '' self.assertEqual(self.process_view(request).status_code, 403) def test_csrf_token_context_processor(self): # Our CSRF token should be available in the template context. request = mock.Mock() request.csrf_token = self.token request.groups = [] ctx = {} for processor in get_context_processors(): ctx.update(processor(request)) self.assertEqual(ctx['csrf_token'], self.token) def test_process_view_without_authentication_middleware(self): # No request.user # Same as would happen if you never use the built-in # AuthenticationMiddleware. request = self.rf.get('/') self.assertEqual(self.mw.process_request(request), None)
class TestCsrfMiddleware(django.test.TestCase): def setUp(self): self.token = 'a' * 32 self.rf = django.test.RequestFactory() self.mw = CsrfMiddleware() def process_view(self, request, view=None): return self.mw.process_view(request, view, None, None) def test_anon_token_from_cookie(self): rf = django.test.RequestFactory() rf.cookies['anoncsrf'] = self.token cache.set(self.token, 'woo') request = rf.get('/') request.session = {} self.mw.process_request(request) self.assertEqual(request.csrf_token, 'woo') def test_set_csrftoken_once(self): # Make sure process_request only sets request.csrf_token once. request = self.rf.get('/') request.csrf_token = 'woo' self.mw.process_request(request) self.assertEqual(request.csrf_token, 'woo') def test_reject_view(self): # Check that the reject view returns a 403. response = self.process_view(self.rf.post('/')) self.assertEqual(response.status_code, 403) def test_csrf_exempt(self): # Make sure @csrf_exempt still works. view = namedtuple('_', 'csrf_exempt') self.assertEqual(self.process_view(self.rf.post('/'), view), None) def test_only_check_post(self): # CSRF should only get checked on POST requests. self.assertEqual(self.process_view(self.rf.get('/')), None) def test_csrfmiddlewaretoken(self): # The user token should be found in POST['csrfmiddlewaretoken']. request = self.rf.post('/', {'csrfmiddlewaretoken': self.token}) self.assertEqual(self.process_view(request).status_code, 403) request.csrf_token = self.token self.assertEqual(self.process_view(request), None) def test_x_csrftoken(self): # The user token can be found in the X-CSRFTOKEN header. request = self.rf.post('/', HTTP_X_CSRFTOKEN=self.token) self.assertEqual(self.process_view(request).status_code, 403) request.csrf_token = self.token self.assertEqual(self.process_view(request), None) def test_require_request_token_or_user_token(self): # Blank request and user tokens raise an error on POST. request = self.rf.post('/', HTTP_X_CSRFTOKEN='') request.csrf_token = '' self.assertEqual(self.process_view(request).status_code, 403) def test_token_no_match(self): # A 403 is returned when the tokens don't match. request = self.rf.post('/', HTTP_X_CSRFTOKEN='woo') request.csrf_token = '' self.assertEqual(self.process_view(request).status_code, 403) def test_csrf_token_context_processor(self): # Our CSRF token should be available in the template context. request = mock.Mock() request.csrf_token = self.token request.groups = [] ctx = {} for processor in context.get_standard_processors(): ctx.update(processor(request)) self.assertEqual(ctx['csrf_token'], self.token)