Make compatible with Django 1.10 #30
Conversation
|
A couple of things:
|
pcraston
force-pushed
the
master
branch
5 times, most recently
from
11097ec
to
3dd5fd7
Compare
|
Hi @moggers87 |
|
|
pcraston
force-pushed
the
master
branch
3 times, most recently
from
0332902
to
65af05c
Compare
|
thanks for the pointer, turned out there were quite a few changes required but it should all be backwards compatible for Django 1.8 and 1.9 @moggers87 let me know if you need any other modifications in order to merge this |
|
I've been testing my branch with our project and it's working fine. Let me know if you find any other issues that are preventing this PR from being merged. |
|
I confirm that this is working and a csrf string gets generated. Django made changes in the first place to fight BREACH type attacks and added salt encrypt of each request to do so. See Django's Ticket and Git Commit. The changes here don't take into account that but I'm not sure if that's required given the different approach session-csrf takes. Even if we need to implement salting probably we shouldn't block this pull request. @moggers87 can you please take another look now that the tests pass? edited to update GitHub link |
|
Visual inspection looks good. With regard to BREACH, we already use functions from Django to produce our tokens. In theory all this package does is change token storage from a cookie to the session. |
Indeed but Django is handling differently the tokens now to fight BREACH. Instead of just generating tokens -with the same function we use- it's also salting and unsalting tokens -with a function that we don't use-. django/django@5112e65#diff-a3be722ce2831a8d11438021d44cedf1R91 |
|
I think that would be better tackled in a separate issue - would be nice to vender in a copy of those functions for 1.8 and 1.9 users. |
|
Agreed this can be part of another PR. Filed ticket #32 to track this. |
|
So this breaks support for Django <= 1.7. I'm fine with that. |
There was a problem hiding this comment.
Just putting in some question marks here. If @glogiotatidis thinks this is good enough I'm all for merging it.
Don't forget to update the setup.py version too.
| - DJANGO="Django==1.9.4" | ||
| - DJANGO="Django==1.8.14" | ||
| - DJANGO="Django==1.9.9" | ||
| - DJANGO="Django==1.10.1" |
There was a problem hiding this comment.
Are these still the latest and greatest for each?
| try: | ||
| from django.middleware.csrf import _get_new_csrf_key as django_get_new_csrf_string | ||
| except ImportError: | ||
| from django.middleware.csrf import _get_new_csrf_string as django_get_new_csrf_string |
There was a problem hiding this comment.
Is there really no public function available in django.middleware.csrf to get a token string out?!
There was a problem hiding this comment.
Just had another look at nothing there as far as I can tell
| if DJANGO_VERSION < (1, 10, 0): | ||
| return request.user.is_authenticated() | ||
| else: | ||
| return request.user.is_authenticated |
| else: | ||
| return request.user.is_authenticated | ||
|
|
||
| class CsrfMiddleware(deprecation.MiddlewareMixin if DJANGO_VERSION >= (1, 10, 0) else object): |
There was a problem hiding this comment.
I'm actually not familiar with what deprecation.MiddlewareMixin but I feel like this class definition now deserves a comment that explains why we do what we do here.
There was a problem hiding this comment.
I've added a comment
…_new_csrf_string, use Middleware Deprecation Mixin, fix urlpatterns
|
Hurray! I'll push a release to pypi |
|
There https://pypi.python.org/pypi/django-session-csrf/0.7.0 Please test it. If it works, I'll tweet about it. Also, @glogiotatidis we need to update your PR to up this in the requirements. |
|
Great stuff, thanks all! |
replace
_get_new_csrf_keywith_get_new_csrf_string