-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make compatible with Django 1.10 #30
Conversation
A couple of things:
|
11097ec
to
3dd5fd7
Compare
Hi @moggers87 |
|
0332902
to
65af05c
Compare
thanks for the pointer, turned out there were quite a few changes required but it should all be backwards compatible for Django 1.8 and 1.9 @moggers87 let me know if you need any other modifications in order to merge this |
I've been testing my branch with our project and it's working fine. Let me know if you find any other issues that are preventing this PR from being merged. |
I confirm that this is working and a csrf string gets generated. Django made changes in the first place to fight BREACH type attacks and added salt encrypt of each request to do so. See Django's Ticket and Git Commit. The changes here don't take into account that but I'm not sure if that's required given the different approach session-csrf takes. Even if we need to implement salting probably we shouldn't block this pull request. @moggers87 can you please take another look now that the tests pass? edited to update GitHub link |
Visual inspection looks good. With regard to BREACH, we already use functions from Django to produce our tokens. In theory all this package does is change token storage from a cookie to the session. |
Indeed but Django is handling differently the tokens now to fight BREACH. Instead of just generating tokens -with the same function we use- it's also salting and unsalting tokens -with a function that we don't use-. django/django@5112e65#diff-a3be722ce2831a8d11438021d44cedf1R91 |
I think that would be better tackled in a separate issue - would be nice to vender in a copy of those functions for 1.8 and 1.9 users. |
Agreed this can be part of another PR. Filed ticket #32 to track this. |
So this breaks support for Django <= 1.7. I'm fine with that. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just putting in some question marks here. If @glogiotatidis thinks this is good enough I'm all for merging it.
Don't forget to update the setup.py version too.
- DJANGO="Django==1.9.4" | ||
- DJANGO="Django==1.8.14" | ||
- DJANGO="Django==1.9.9" | ||
- DJANGO="Django==1.10.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these still the latest and greatest for each?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
try: | ||
from django.middleware.csrf import _get_new_csrf_key as django_get_new_csrf_string | ||
except ImportError: | ||
from django.middleware.csrf import _get_new_csrf_string as django_get_new_csrf_string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there really no public function available in django.middleware.csrf
to get a token string out?!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just had another look at nothing there as far as I can tell
if DJANGO_VERSION < (1, 10, 0): | ||
return request.user.is_authenticated() | ||
else: | ||
return request.user.is_authenticated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Smart!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
else: | ||
return request.user.is_authenticated | ||
|
||
class CsrfMiddleware(deprecation.MiddlewareMixin if DJANGO_VERSION >= (1, 10, 0) else object): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm actually not familiar with what deprecation.MiddlewareMixin
but I feel like this class definition now deserves a comment that explains why we do what we do here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a comment
…_new_csrf_string, use Middleware Deprecation Mixin, fix urlpatterns
Hurray! I'll push a release to pypi |
There https://pypi.python.org/pypi/django-session-csrf/0.7.0 Please test it. If it works, I'll tweet about it. Also, @glogiotatidis we need to update your PR to up this in the requirements. |
Great stuff, thanks all! |
replace
_get_new_csrf_key
with_get_new_csrf_string