Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Removed Django 1.2 compatibility fallback for form wizard hash

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15951 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit fa4bbfcbfb4f693955f653bd06f384dd786e3c93 1 parent 25aaa35
@spookylukey spookylukey authored
View
39 django/contrib/formtools/tests/__init__.py
@@ -249,14 +249,6 @@ def done(self, request, cleaned_data):
return http.HttpResponse(success_string)
-class UserSecuredWizardClass(WizardClass):
- """
- Wizard with a custum security_hash method
- """
- def security_hash(self, request, form):
- return "123"
-
-
class DummyRequest(http.HttpRequest):
def __init__(self, POST=None):
@@ -310,36 +302,7 @@ def test_bad_hash(self):
"wizard_step": "1"})
self.assertEqual(0, response.context['step0'])
- def test_good_hash_django12(self):
- """
- Form should advance if the hash is present and good, as calculated using
- django 1.2 method.
- """
- # We are hard-coding a hash value here, but that is OK, since we want to
- # ensure that we don't accidentally change the algorithm.
- data = {"0-field": "test",
- "1-field": "test2",
- "hash_0": "2fdbefd4c0cad51509478fbacddf8b13",
- "wizard_step": "1"}
- response = self.client.post('/wizard/', data)
- self.assertEqual(2, response.context['step0'])
-
- def test_good_hash_django12_subclass(self):
- """
- The Django 1.2 method of calulating hashes should *not* be used as a
- fallback if the FormWizard subclass has provided their own method
- of calculating a hash.
- """
- # We are hard-coding a hash value here, but that is OK, since we want to
- # ensure that we don't accidentally change the algorithm.
- data = {"0-field": "test",
- "1-field": "test2",
- "hash_0": "2fdbefd4c0cad51509478fbacddf8b13",
- "wizard_step": "1"}
- response = self.client.post('/wizard2/', data)
- self.assertEqual(0, response.context['step0'])
-
- def test_good_hash_current(self):
+ def test_good_hash(self):
"""
Form should advance if the hash is present and good, as calculated using
current method.
View
3  django/contrib/formtools/tests/urls.py
@@ -11,7 +11,4 @@
(r'^wizard/$', WizardClass([WizardPageOneForm,
WizardPageTwoForm,
WizardPageThreeForm])),
- (r'^wizard2/$', UserSecuredWizardClass([WizardPageOneForm,
- WizardPageTwoForm,
- WizardPageThreeForm]))
)
View
21 django/contrib/formtools/wizard.py
@@ -11,7 +11,7 @@
from django import forms
from django.conf import settings
-from django.contrib.formtools.utils import security_hash, form_hmac
+from django.contrib.formtools.utils import form_hmac
from django.http import Http404
from django.shortcuts import render_to_response
from django.template.context import RequestContext
@@ -58,24 +58,7 @@ def num_steps(self):
def _check_security_hash(self, token, request, form):
expected = self.security_hash(request, form)
- if constant_time_compare(token, expected):
- return True
- else:
- # Fall back to Django 1.2 method, for compatibility with forms that
- # are in the middle of being used when the upgrade occurs. However,
- # we don't want to do this fallback if a subclass has provided their
- # own security_hash method - because they might have implemented a
- # more secure method, and this would punch a hole in that.
-
- # PendingDeprecationWarning <- left here to remind us that this
- # compatibility fallback should be removed in Django 1.5
- FormWizard_expected = FormWizard.security_hash(self, request, form)
- if expected == FormWizard_expected:
- # They didn't override security_hash, do the fallback:
- old_expected = security_hash(request, form)
- return constant_time_compare(token, old_expected)
- else:
- return False
+ return constant_time_compare(token, expected)
@method_decorator(csrf_protect)
def __call__(self, request, *args, **kwargs):
Please sign in to comment.
Something went wrong with that request. Please try again.