def setUp(self):
self.token = 'a' * 32
self.rf = django.test.RequestFactory()
self.mw = CsrfMiddleware()
self.save_ANON_ALWAYS = session_csrf.ANON_ALWAYS
session_csrf.ANON_ALWAYS = False
self.save_CSRF_FAILURE_VIEW = settings.CSRF_FAILURE_VIEW
settings.CSRF_FAILURE_VIEW = 'django.views.csrf.csrf_failure'
def setUp(self):
self.token = 'a' * 32
self.rf = django.test.RequestFactory()
self.mw = CsrfMiddleware()
class TestCsrfMiddleware(django.test.TestCase):
def setUp(self):
self.token = 'a' * 32
self.rf = django.test.RequestFactory()
self.mw = CsrfMiddleware()
def process_view(self, request, view=None):
return self.mw.process_view(request, view, None, None)
def test_anon_token_from_cookie(self):
rf = django.test.RequestFactory()
rf.cookies['anoncsrf'] = self.token
cache.set(PREFIX + self.token, 'woo')
request = rf.get('/')
request.session = {}
r = {
'wsgi.input': django.test.client.FakePayload('')
}
# Hack to set up request middleware.
ClientHandler()(self.rf._base_environ(**r))
self.mw.process_request(request)
self.assertEqual(request.csrf_token, 'woo')
def test_set_csrftoken_once(self):
# Make sure process_request only sets request.csrf_token once.
request = self.rf.get('/')
request.csrf_token = 'woo'
self.mw.process_request(request)
self.assertEqual(request.csrf_token, 'woo')
def test_reject_view(self):
# Check that the reject view returns a 403.
response = self.process_view(self.rf.post('/'))
self.assertEqual(response.status_code, 403)
def test_csrf_exempt(self):
# Make sure @csrf_exempt still works.
view = type("", (), {'csrf_exempt': True})()
self.assertEqual(self.process_view(self.rf.post('/'), view), None)
def test_safe_whitelist(self):
# CSRF should not get checked on these methods.
self.assertEqual(self.process_view(self.rf.get('/')), None)
self.assertEqual(self.process_view(self.rf.head('/')), None)
self.assertEqual(self.process_view(self.rf.options('/')), None)
def test_unsafe_methods(self):
self.assertEqual(self.process_view(self.rf.post('/')).status_code,
403)
self.assertEqual(self.process_view(self.rf.put('/')).status_code,
403)
self.assertEqual(self.process_view(self.rf.delete('/')).status_code,
403)
def test_csrfmiddlewaretoken(self):
# The user token should be found in POST['csrfmiddlewaretoken'].
request = self.rf.post('/', {'csrfmiddlewaretoken': self.token})
self.assertEqual(self.process_view(request).status_code, 403)
request.csrf_token = self.token
self.assertEqual(self.process_view(request), None)
def test_x_csrftoken(self):
# The user token can be found in the X-CSRFTOKEN header.
request = self.rf.post('/', HTTP_X_CSRFTOKEN=self.token)
self.assertEqual(self.process_view(request).status_code, 403)
request.csrf_token = self.token
self.assertEqual(self.process_view(request), None)
def test_require_request_token_or_user_token(self):
# Blank request and user tokens raise an error on POST.
request = self.rf.post('/', HTTP_X_CSRFTOKEN='')
request.csrf_token = ''
self.assertEqual(self.process_view(request).status_code, 403)
def test_token_no_match(self):
# A 403 is returned when the tokens don't match.
request = self.rf.post('/', HTTP_X_CSRFTOKEN='woo')
request.csrf_token = ''
self.assertEqual(self.process_view(request).status_code, 403)
def test_csrf_token_context_processor(self):
# Our CSRF token should be available in the template context.
request = mock.Mock()
request.csrf_token = self.token
request.groups = []
ctx = {}
for processor in context.get_standard_processors():
ctx.update(processor(request))
self.assertEqual(ctx['csrf_token'], self.token)
def setUp(self):
self.token = 'a' * 32
self.rf = django.test.RequestFactory()
self.mw = CsrfMiddleware()
class TestCsrfMiddleware(django.test.TestCase):
def setUp(self):
self.token = 'a' * 32
self.rf = django.test.RequestFactory()
self.mw = CsrfMiddleware()
def process_view(self, request, view=None):
return self.mw.process_view(request, view, None, None)
def test_anon_token_from_cookie(self):
rf = django.test.RequestFactory()
rf.cookies['anoncsrf'] = self.token
cache.set(prep_key(self.token), 'woo')
request = rf.get('/')
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
self.mw.process_request(request)
self.assertEqual(request.csrf_token, 'woo')
def test_set_csrftoken_once(self):
# Make sure process_request only sets request.csrf_token once.
request = self.rf.get('/')
request.csrf_token = 'woo'
self.mw.process_request(request)
self.assertEqual(request.csrf_token, 'woo')
def test_reject_view(self):
# Check that the reject view returns a 403.
response = self.process_view(self.rf.post('/'))
self.assertEqual(response.status_code, 403)
def test_csrf_exempt(self):
# Make sure @csrf_exempt still works.
view = type("", (), {'csrf_exempt': True})()
self.assertEqual(self.process_view(self.rf.post('/'), view), None)
def test_safe_whitelist(self):
# CSRF should not get checked on these methods.
self.assertEqual(self.process_view(self.rf.get('/')), None)
self.assertEqual(self.process_view(self.rf.head('/')), None)
self.assertEqual(self.process_view(self.rf.options('/')), None)
def test_unsafe_methods(self):
self.assertEqual(self.process_view(self.rf.post('/')).status_code, 403)
self.assertEqual(self.process_view(self.rf.put('/')).status_code, 403)
self.assertEqual(
self.process_view(self.rf.delete('/')).status_code, 403)
def test_csrfmiddlewaretoken(self):
# The user token should be found in POST['csrfmiddlewaretoken'].
request = self.rf.post('/', {'csrfmiddlewaretoken': self.token})
self.assertEqual(self.process_view(request).status_code, 403)
request.csrf_token = self.token
self.assertEqual(self.process_view(request), None)
def test_x_csrftoken(self):
# The user token can be found in the X-CSRFTOKEN header.
request = self.rf.post('/', HTTP_X_CSRFTOKEN=self.token)
self.assertEqual(self.process_view(request).status_code, 403)
request.csrf_token = self.token
self.assertEqual(self.process_view(request), None)
def test_require_request_token_or_user_token(self):
# Blank request and user tokens raise an error on POST.
request = self.rf.post('/', HTTP_X_CSRFTOKEN='')
request.csrf_token = ''
self.assertEqual(self.process_view(request).status_code, 403)
def test_token_no_match(self):
# A 403 is returned when the tokens don't match.
request = self.rf.post('/', HTTP_X_CSRFTOKEN='woo')
request.csrf_token = ''
self.assertEqual(self.process_view(request).status_code, 403)
def test_csrf_token_context_processor(self):
# Our CSRF token should be available in the template context.
request = mock.Mock()
request.csrf_token = self.token
request.groups = []
ctx = {}
for processor in context.get_standard_processors():
ctx.update(processor(request))
self.assertEqual(ctx['csrf_token'], self.token)
class TestCsrfMiddleware(django.test.TestCase):
def setUp(self):
self.token = 'a' * 32
self.rf = django.test.RequestFactory()
self.mw = CsrfMiddleware()
def process_view(self, request, view=None):
return self.mw.process_view(request, view, None, None)
def test_anon_token_from_cookie(self):
rf = django.test.RequestFactory()
rf.cookies['anoncsrf'] = self.token
cache.set(prep_key(self.token), 'woo')
request = rf.get('/')
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
self.mw.process_request(request)
self.assertEqual(request.csrf_token, 'woo')
def test_set_csrftoken_once(self):
# Make sure process_request only sets request.csrf_token once.
request = self.rf.get('/')
request.csrf_token = 'woo'
self.mw.process_request(request)
self.assertEqual(request.csrf_token, 'woo')
def test_reject_view(self):
# Check that the reject view returns a 403.
response = self.process_view(self.rf.post('/'))
self.assertEqual(response.status_code, 403)
def test_csrf_exempt(self):
# Make sure @csrf_exempt still works.
view = type(str(""), (), {'csrf_exempt': True})()
self.assertEqual(self.process_view(self.rf.post('/'), view), None)
def test_safe_whitelist(self):
# CSRF should not get checked on these methods.
self.assertEqual(self.process_view(self.rf.get('/')), None)
self.assertEqual(self.process_view(self.rf.head('/')), None)
self.assertEqual(self.process_view(self.rf.options('/')), None)
def test_unsafe_methods(self):
self.assertEqual(self.process_view(self.rf.post('/')).status_code,
403)
self.assertEqual(self.process_view(self.rf.put('/')).status_code,
403)
self.assertEqual(self.process_view(self.rf.delete('/')).status_code,
403)
def test_csrfmiddlewaretoken(self):
# The user token should be found in POST['csrfmiddlewaretoken'].
request = self.rf.post('/', {'csrfmiddlewaretoken': self.token})
self.assertEqual(self.process_view(request).status_code, 403)
request.csrf_token = self.token
self.assertEqual(self.process_view(request), None)
def test_x_csrftoken(self):
# The user token can be found in the X-CSRFTOKEN header.
request = self.rf.post('/', HTTP_X_CSRFTOKEN=self.token)
self.assertEqual(self.process_view(request).status_code, 403)
request.csrf_token = self.token
self.assertEqual(self.process_view(request), None)
def test_require_request_token_or_user_token(self):
# Blank request and user tokens raise an error on POST.
request = self.rf.post('/', HTTP_X_CSRFTOKEN='')
request.csrf_token = ''
self.assertEqual(self.process_view(request).status_code, 403)
def test_token_no_match(self):
# A 403 is returned when the tokens don't match.
request = self.rf.post('/', HTTP_X_CSRFTOKEN='woo')
request.csrf_token = ''
self.assertEqual(self.process_view(request).status_code, 403)
def test_csrf_token_context_processor(self):
# Our CSRF token should be available in the template context.
request = mock.Mock()
request.csrf_token = self.token
request.groups = []
ctx = {}
for processor in get_context_processors():
ctx.update(processor(request))
self.assertEqual(ctx['csrf_token'], self.token)
def test_process_view_without_authentication_middleware(self):
# No request.user
# Same as would happen if you never use the built-in
# AuthenticationMiddleware.
request = self.rf.get('/')
self.assertEqual(self.mw.process_request(request), None)
class TestCsrfMiddleware(django.test.TestCase):
def setUp(self):
self.token = 'a' * 32
self.rf = django.test.RequestFactory()
self.mw = CsrfMiddleware()
def process_view(self, request, view=None):
return self.mw.process_view(request, view, None, None)
def test_anon_token_from_cookie(self):
rf = django.test.RequestFactory()
rf.cookies['anoncsrf'] = self.token
cache.set(self.token, 'woo')
request = rf.get('/')
request.session = {}
self.mw.process_request(request)
self.assertEqual(request.csrf_token, 'woo')
def test_set_csrftoken_once(self):
# Make sure process_request only sets request.csrf_token once.
request = self.rf.get('/')
request.csrf_token = 'woo'
self.mw.process_request(request)
self.assertEqual(request.csrf_token, 'woo')
def test_reject_view(self):
# Check that the reject view returns a 403.
response = self.process_view(self.rf.post('/'))
self.assertEqual(response.status_code, 403)
def test_csrf_exempt(self):
# Make sure @csrf_exempt still works.
view = namedtuple('_', 'csrf_exempt')
self.assertEqual(self.process_view(self.rf.post('/'), view), None)
def test_only_check_post(self):
# CSRF should only get checked on POST requests.
self.assertEqual(self.process_view(self.rf.get('/')), None)
def test_csrfmiddlewaretoken(self):
# The user token should be found in POST['csrfmiddlewaretoken'].
request = self.rf.post('/', {'csrfmiddlewaretoken': self.token})
self.assertEqual(self.process_view(request).status_code, 403)
request.csrf_token = self.token
self.assertEqual(self.process_view(request), None)
def test_x_csrftoken(self):
# The user token can be found in the X-CSRFTOKEN header.
request = self.rf.post('/', HTTP_X_CSRFTOKEN=self.token)
self.assertEqual(self.process_view(request).status_code, 403)
request.csrf_token = self.token
self.assertEqual(self.process_view(request), None)
def test_require_request_token_or_user_token(self):
# Blank request and user tokens raise an error on POST.
request = self.rf.post('/', HTTP_X_CSRFTOKEN='')
request.csrf_token = ''
self.assertEqual(self.process_view(request).status_code, 403)
def test_token_no_match(self):
# A 403 is returned when the tokens don't match.
request = self.rf.post('/', HTTP_X_CSRFTOKEN='woo')
request.csrf_token = ''
self.assertEqual(self.process_view(request).status_code, 403)
def test_csrf_token_context_processor(self):
# Our CSRF token should be available in the template context.
request = mock.Mock()
request.csrf_token = self.token
request.groups = []
ctx = {}
for processor in context.get_standard_processors():
ctx.update(processor(request))
self.assertEqual(ctx['csrf_token'], self.token)
