Merge pull request #12 from davepeck/processview

Use process_view and check for csrf_exempt views
lpomfrey · Feb 5, 2015 · 12b960c · 12b960c
2 parents b12627f + 8281d0d
commit 12b960c
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 11 deletions.
diff --git a/debreach/middleware.py b/debreach/middleware.py
@@ -20,7 +20,9 @@ def _decode(self, token):
         key, value = force_bytes(token, encoding='latin-1').split(b'$', 1)
         return force_text(xor(b64_decode(value), key), encoding='latin-1')
 
-    def process_request(self, request):
+    def process_view(self, request, view, view_args, view_kwargs):
+        if getattr(view, 'csrf_exempt', False):
+            return None
         if request.POST.get('csrfmiddlewaretoken') \
                 and '$' in request.POST.get('csrfmiddlewaretoken'):
             try:

diff --git a/debreach/tests.py b/debreach/tests.py
@@ -10,6 +10,7 @@
 from django.test import TestCase
 from django.test.client import RequestFactory
 from django.utils.unittest import skipUnless
+from django.views.decorators.csrf import csrf_exempt
 
 from debreach.compat import force_text, get_random_string
 from debreach.context_processors import csrf
@@ -24,12 +25,16 @@
     chr = unichr
 
 
+def test_view(request):
+    return HttpResponse()
+
+
 class TestCSRFCryptMiddleware(TestCase):
 
     def test_not_encoded(self):
         request = RequestFactory().post('/', {'csrfmiddlewaretoken': 'abc123'})
         middleware = CSRFCryptMiddleware()
-        middleware.process_request(request)
+        middleware.process_view(request, test_view, (), {})
         self.assertEqual(request.POST.get('csrfmiddlewaretoken'), 'abc123')
 
     def test_encoded(self):
@@ -38,7 +43,7 @@ def test_encoded(self):
             {'csrfmiddlewaretoken': 'aBcDeF$ACAAdVd1'}
         )
         middleware = CSRFCryptMiddleware()
-        middleware.process_request(request)
+        middleware.process_view(request, test_view, (), {})
         self.assertEqual(request.POST.get('csrfmiddlewaretoken'), 'abc123')
 
     def test_mutable_status(self):
@@ -48,43 +53,51 @@ def test_mutable_status(self):
         )
         request.POST._mutable = False
         middleware = CSRFCryptMiddleware()
-        middleware.process_request(request)
+        middleware.process_view(request, test_view, (), {})
         self.assertFalse(request.POST._mutable)
         request = RequestFactory().post(
             '/',
             {'csrfmiddlewaretoken': 'aBcDeF$ACAAdVd1'}
         )
         request.POST._mutable = True
         middleware = CSRFCryptMiddleware()
-        middleware.process_request(request)
+        middleware.process_view(request, test_view, (), {})
         self.assertTrue(request.POST._mutable)
 
     def test_header_not_encoded(self):
         request = RequestFactory().post('/', HTTP_X_CSRFTOKEN='abc123')
         middleware = CSRFCryptMiddleware()
-        middleware.process_request(request)
+        middleware.process_view(request, test_view, (), {})
         self.assertEqual(request.META.get('HTTP_X_CSRFTOKEN'), 'abc123')
 
     def test_header_encoded(self):
         request = RequestFactory().post(
             '/', HTTP_X_CSRFTOKEN='aBcDeF$ACAAdVd1',
         )
         middleware = CSRFCryptMiddleware()
-        middleware.process_request(request)
+        middleware.process_view(request, test_view, (), {})
         self.assertEqual(request.META.get('HTTP_X_CSRFTOKEN'), 'abc123')
 
     def test_tampering(self):
         request = RequestFactory().post(
             '/', {'csrfmiddlewaretoken': '123456$abc'})
         middleware = CSRFCryptMiddleware()
         with self.assertRaises(SuspiciousOperation):
-            middleware.process_request(request)
+            middleware.process_view(request, test_view, (), {})
 
     def test_header_tampering(self):
         request = RequestFactory().post('/', HTTP_X_CSRFTOKEN='123456$abc')
         middleware = CSRFCryptMiddleware()
         with self.assertRaises(SuspiciousOperation):
-            middleware.process_request(request)
+            middleware.process_view(request, test_view, (), {})
+
+    def test_csrf_exempt(self):
+        # This is an odd test. We're testing that, when a view is csrf_exempt,
+        # process_view will bail without performing any processing.
+        request = RequestFactory().post('/', HTTP_X_CSRFTOKEN="aB$AHM")
+        middleware = CSRFCryptMiddleware()
+        middleware.process_view(request, csrf_exempt(test_view), (), {})
+        self.assertEqual("aB$AHM", request.META['HTTP_X_CSRFTOKEN'])
 
 
 class TestRandomCommentMiddleware(TestCase):
@@ -260,7 +273,7 @@ def test_round_trip_loop(self):
             request = RequestFactory().post(
                 '/', {'csrfmiddlewaretoken': token})
             middleware = CSRFCryptMiddleware()
-            middleware.process_request(request)
+            middleware.process_view(request, test_view, (), {})
             self.assertEqual(
                 force_text(request.POST.get('csrfmiddlewaretoken')),
                 force_text(csrf_token)
@@ -281,7 +294,7 @@ def test_round_trip_loop_header(self):
                 HTTP_X_REQUESTED_WITH='XMLHttpRequest'
             )
             middleware = CSRFCryptMiddleware()
-            middleware.process_request(request)
+            middleware.process_view(request, test_view, (), {})
             self.assertEqual(
                 force_text(request.META.get('HTTP_X_CSRFTOKEN')),
                 force_text(csrf_token)