def test_process_response_non_html(self):
"""
Check the the post-processor does nothing for content-types not in _HTML_TYPES.
"""
req = self._get_GET_no_csrf_cookie_request()
CsrfMiddleware().process_view(req, post_form_view, (), {})
resp = post_form_response_non_html()
resp_content = resp.content # needed because process_response modifies resp
resp2 = CsrfMiddleware().process_response(req, resp)
self.assertEquals(resp_content, resp2.content)
def test_process_response_exempt_view(self):
"""
Check that no post processing is done for an exempt view
"""
req = self._get_GET_csrf_cookie_request()
view = csrf_exempt(post_form_view)
CsrfMiddleware().process_view(req, view, (), {})
resp = view(req)
resp_content = resp.content
resp2 = CsrfMiddleware().process_response(req, resp)
self.assertEquals(resp_content, resp2.content)
def test_process_response_existing_csrf_cookie(self):
"""
Check that the token is inserted when a prior CSRF cookie exists
"""
req = self._get_GET_csrf_cookie_request()
CsrfMiddleware().process_view(req, post_form_view, (), {})
resp = post_form_response()
resp_content = resp.content # needed because process_response modifies resp
resp2 = CsrfMiddleware().process_response(req, resp)
self.assertNotEqual(resp_content, resp2.content)
self._check_token_present(resp2)
def test_process_request_csrf_cookie_and_token(self):
"""
Check that if both a cookie and a token is present, the middleware lets it through.
"""
req = self._get_POST_request_with_token()
req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
self.assertEquals(None, req2)
def test_process_response_for_exempt_view(self):
"""
Check that a view decorated with 'csrf_view_exempt' is still
post-processed to add the CSRF token.
"""
req = self._get_GET_no_csrf_cookie_request()
CsrfMiddleware().process_view(req, csrf_view_exempt(post_form_view), (), {})
resp = post_form_response()
resp_content = resp.content # needed because process_response modifies resp
resp2 = CsrfMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.assertNotEqual(csrf_cookie, False)
self.assertNotEqual(resp_content, resp2.content)
self._check_token_present(resp2, csrf_cookie.value)
def test_response_middleware_without_view_middleware(self):
"""
Check that CsrfResponseMiddleware finishes without error if the view middleware
has not been called, as is the case if a request middleware returns a response.
"""
req = self._get_GET_no_csrf_cookie_request()
resp = post_form_view(req)
CsrfMiddleware().process_response(req, resp)
def test_csrf_token_in_header(self):
"""
Check that we can pass in the token in a header instead of in the form
"""
req = self._get_POST_csrf_cookie_request()
req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
self.assertEquals(None, req2)
def test_process_request_session_cookie_no_csrf_cookie_no_token(self):
"""
Check that if a session cookie is present but no token and no CSRF cookie,
the request is rejected.
"""
req = self._get_POST_session_request_no_token()
req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
self.assertEquals(403, req2.status_code)
def test_process_request_csrf_cookie_no_token(self):
"""
Check that if a CSRF cookie is present but no token, the middleware
rejects the incoming request.
"""
req = self._get_POST_csrf_cookie_request()
req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
self.assertEquals(403, req2.status_code)
def test_process_request_no_session_no_csrf_cookie(self):
"""
Check that if neither a CSRF cookie nor a session cookie are present,
the middleware rejects the incoming request. This will stop login CSRF.
"""
req = self._get_POST_no_csrf_cookie_request()
req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
self.assertEquals(403, req2.status_code)
def test_ajax_exemption(self):
"""
Check that AJAX requests are automatically exempted.
"""
req = self._get_POST_csrf_cookie_request()
req.META['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
self.assertEquals(None, req2)
def test_process_request_csrf_cookie_no_token_exempt_view(self):
"""
Check that if a CSRF cookie is present and no token, but the csrf_exempt
decorator has been applied to the view, the middleware lets it through
"""
req = self._get_POST_csrf_cookie_request()
req2 = CsrfMiddleware().process_view(req, csrf_exempt(post_form_view), (), {})
self.assertEquals(None, req2)
def test_process_response_no_csrf_cookie(self):
"""
When no prior CSRF cookie exists, check that the cookie is created and a
token is inserted.
"""
req = self._get_GET_no_csrf_cookie_request()
CsrfMiddleware().process_view(req, post_form_view, (), {})
resp = post_form_response()
resp_content = resp.content # needed because process_response modifies resp
resp2 = CsrfMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.assertNotEqual(csrf_cookie, False)
self.assertNotEqual(resp_content, resp2.content)
self._check_token_present(resp2, csrf_cookie.value)
# Check the Vary header got patched correctly
self.assert_('Cookie' in resp2.get('Vary',''))
def test_process_response_no_csrf_cookie(self):
"""
When no prior CSRF cookie exists, check that the cookie is created and a
token is inserted.
"""
req = self._get_GET_no_csrf_cookie_request()
CsrfMiddleware().process_view(req, post_form_view, (), {})
resp = post_form_response()
resp_content = resp.content # needed because process_response modifies resp
resp2 = CsrfMiddleware().process_response(req, resp)
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.assertNotEqual(csrf_cookie, False)
self.assertNotEqual(resp_content, resp2.content)
self._check_token_present(resp2, csrf_cookie.value)
# Check the Vary header got patched correctly
self.assert_('Cookie' in resp2.get('Vary', ''))
def test_process_request_session_cookie_no_csrf_cookie_token(self):
"""
When no CSRF cookie exists, but the user has a session, check that a token
using the session cookie as a legacy CSRF cookie is accepted.
"""
orig_secret_key = settings.SECRET_KEY
settings.SECRET_KEY = self._secret_key_for_session_test
try:
req = self._get_POST_session_request_with_token()
req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
self.assertEquals(None, req2)
finally:
settings.SECRET_KEY = orig_secret_key