Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #13716 - the CSRF get_token function stopped working for views …

…with csrf_view_exempt

This was a regression caused by the the CSRF changes in 1.2.

Thanks to edevil for the report.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13336 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit ac8b7ff02133f3d9112574e3660fd5ad042bc751 1 parent 21a690f
Luke Plant authored
8  django/middleware/csrf.py
@@ -62,9 +62,6 @@ class CsrfViewMiddleware(object):
62 62
     tag.
63 63
     """
64 64
     def process_view(self, request, callback, callback_args, callback_kwargs):
65  
-        if getattr(callback, 'csrf_exempt', False):
66  
-            return None
67  
-
68 65
         if getattr(request, 'csrf_processing_done', False):
69 66
             return None
70 67
 
@@ -90,6 +87,11 @@ def accept():
90 87
             # place of a CSRF cookie for this request only.
91 88
             cookie_is_new = True
92 89
 
  90
+        # Wait until request.META["CSRF_COOKIE"] has been manipulated before
  91
+        # bailing out, so that get_token still works
  92
+        if getattr(callback, 'csrf_exempt', False):
  93
+            return None
  94
+
93 95
         if request.method == 'POST':
94 96
             if getattr(request, '_dont_enforce_csrf_checks', False):
95 97
                 # Mechanism to turn off CSRF checks for test suite.  It comes after
28  tests/regressiontests/csrf_tests/tests.py
@@ -3,7 +3,7 @@
3 3
 from django.test import TestCase
4 4
 from django.http import HttpRequest, HttpResponse
5 5
 from django.middleware.csrf import CsrfMiddleware, CsrfViewMiddleware
6  
-from django.views.decorators.csrf import csrf_exempt
  6
+from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt
7 7
 from django.core.context_processors import csrf
8 8
 from django.contrib.sessions.middleware import SessionMiddleware
9 9
 from django.utils.importlib import import_module
@@ -123,6 +123,23 @@ def test_process_response_no_csrf_cookie(self):
123 123
         # Check the Vary header got patched correctly
124 124
         self.assert_('Cookie' in resp2.get('Vary',''))
125 125
 
  126
+    def test_process_response_for_exempt_view(self):
  127
+        """
  128
+        Check that a view decorated with 'csrf_view_exempt' is still
  129
+        post-processed to add the CSRF token.
  130
+        """
  131
+        req = self._get_GET_no_csrf_cookie_request()
  132
+        CsrfMiddleware().process_view(req, csrf_view_exempt(post_form_view), (), {})
  133
+
  134
+        resp = post_form_response()
  135
+        resp_content = resp.content # needed because process_response modifies resp
  136
+        resp2 = CsrfMiddleware().process_response(req, resp)
  137
+
  138
+        csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
  139
+        self.assertNotEqual(csrf_cookie, False)
  140
+        self.assertNotEqual(resp_content, resp2.content)
  141
+        self._check_token_present(resp2, csrf_cookie.value)
  142
+
126 143
     def test_process_response_no_csrf_cookie_view_only_get_token_used(self):
127 144
         """
128 145
         When no prior CSRF cookie exists, check that the cookie is created, even
@@ -279,6 +296,15 @@ def test_token_node_with_csrf_cookie(self):
279 296
         resp = token_view(req)
280 297
         self._check_token_present(resp)
281 298
 
  299
+    def test_get_token_for_exempt_view(self):
  300
+        """
  301
+        Check that get_token still works for a view decorated with 'csrf_view_exempt'.
  302
+        """
  303
+        req = self._get_GET_csrf_cookie_request()
  304
+        CsrfViewMiddleware().process_view(req, csrf_view_exempt(token_view), (), {})
  305
+        resp = token_view(req)
  306
+        self._check_token_present(resp)
  307
+
282 308
     def test_token_node_with_new_csrf_cookie(self):
283 309
         """
284 310
         Check that CsrfTokenNode works when a CSRF cookie is created by

0 notes on commit ac8b7ff

Please sign in to comment.
Something went wrong with that request. Please try again.