Commit 2370a103 authored by Russell Keith-Magee's avatar Russell Keith-Magee
Browse files

[1.2.X] Fixed #14156 -- Modified the way CSRF protection is applied to... 

[1.2.X] Fixed #14156 -- Modified the way CSRF protection is applied to flatpages so that the flatpage middleware doesn't cause all POSTs resulting in 404s to turn into 403s. Thanks to patrys for the report.

Backport of r13641 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@13643 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 35411fd7

django/contrib/flatpages/fixtures/sample_flatpages.json

0 → 100644
+32 −0
Original line number Diff line number Diff line 
[

    {

        "pk": 1,

        "model": "flatpages.flatpage",

        "fields": {

            "registration_required": false,

            "title": "A Flatpage",

            "url": "/flatpage/",

            "template_name": "",

            "sites": [

                1

            ],

            "content": "Isn't it flat!",

            "enable_comments": false

        }

    },

    {

        "pk": 2,

        "model": "flatpages.flatpage",

        "fields": {

            "registration_required": true,

            "title": "Sekrit Flatpage",

            "url": "/sekrit/",

            "template_name": "",

            "sites": [

                1

            ],

            "content": "Isn't it sekrit!",

            "enable_comments": false

        }

    }

]
 
 No newline at end of file

django/contrib/flatpages/tests/__init__.py

0 → 100644
+3 −0
Original line number Diff line number Diff line 
from django.contrib.flatpages.tests.csrf import *

from django.contrib.flatpages.tests.middleware import *

from django.contrib.flatpages.tests.views import *

django/contrib/flatpages/tests/csrf.py

0 → 100644
+70 −0
Original line number Diff line number Diff line 
import os

from django.conf import settings

from django.test import TestCase, Client



class FlatpageCSRFTests(TestCase):

    fixtures = ['sample_flatpages']

    urls = 'django.contrib.flatpages.tests.urls'



    def setUp(self):

        self.client = Client(enforce_csrf_checks=True)

        self.old_MIDDLEWARE_CLASSES = settings.MIDDLEWARE_CLASSES

        flatpage_middleware_class = 'django.contrib.flatpages.middleware.FlatpageFallbackMiddleware'

        csrf_middleware_class = 'django.middleware.csrf.CsrfViewMiddleware'

        if csrf_middleware_class not in settings.MIDDLEWARE_CLASSES:

            settings.MIDDLEWARE_CLASSES += (csrf_middleware_class,)

        if flatpage_middleware_class not in settings.MIDDLEWARE_CLASSES:

            settings.MIDDLEWARE_CLASSES += (flatpage_middleware_class,)

        self.old_TEMPLATE_DIRS = settings.TEMPLATE_DIRS

        settings.TEMPLATE_DIRS = (

            os.path.join(

                os.path.dirname(__file__),

                'templates'

            ),

        )



    def tearDown(self):

        settings.MIDDLEWARE_CLASSES = self.old_MIDDLEWARE_CLASSES

        settings.TEMPLATE_DIRS = self.old_TEMPLATE_DIRS



    def test_view_flatpage(self):

        "A flatpage can be served through a view, even when the middleware is in use"

        response = self.client.get('/flatpage_root/flatpage/')

        self.assertEquals(response.status_code, 200)

        self.assertContains(response, "<p>Isn't it flat!</p>")



    def test_view_non_existent_flatpage(self):

        "A non-existent flatpage raises 404 when served through a view, even when the middleware is in use"

        response = self.client.get('/flatpage_root/no_such_flatpage/')

        self.assertEquals(response.status_code, 404)



    def test_view_authenticated_flatpage(self):

        "A flatpage served through a view can require authentication"

        response = self.client.get('/flatpage_root/sekrit/')

        self.assertRedirects(response, '/accounts/login/?next=/flatpage_root/sekrit/')



    def test_fallback_flatpage(self):

        "A flatpage can be served by the fallback middlware"

        response = self.client.get('/flatpage/')

        self.assertEquals(response.status_code, 200)

        self.assertContains(response, "<p>Isn't it flat!</p>")



    def test_fallback_non_existent_flatpage(self):

        "A non-existent flatpage raises a 404 when served by the fallback middlware"

        response = self.client.get('/no_such_flatpage/')

        self.assertEquals(response.status_code, 404)



    def test_post_view_flatpage(self):

        "POSTing to a flatpage served through a view will raise a CSRF error if no token is provided (Refs #14156)"

        response = self.client.post('/flatpage_root/flatpage/')

        self.assertEquals(response.status_code, 403)



    def test_post_fallback_flatpage(self):

        "POSTing to a flatpage served by the middleware will raise a CSRF error if no token is provided (Refs #14156)"

        response = self.client.post('/flatpage/')

        self.assertEquals(response.status_code, 403)



    def test_post_unknown_page(self):

        "POSTing to an unknown page isn't caught as a 403 CSRF error"

        response = self.client.post('/no_such_page/')

        self.assertEquals(response.status_code, 404)

django/contrib/flatpages/tests/middleware.py

0 → 100644
+56 −0
Original line number Diff line number Diff line 
import os

from django.conf import settings

from django.test import TestCase



class FlatpageMiddlewareTests(TestCase):

    fixtures = ['sample_flatpages']

    urls = 'django.contrib.flatpages.tests.urls'



    def setUp(self):

        self.old_MIDDLEWARE_CLASSES = settings.MIDDLEWARE_CLASSES

        flatpage_middleware_class = 'django.contrib.flatpages.middleware.FlatpageFallbackMiddleware'

        if flatpage_middleware_class not in settings.MIDDLEWARE_CLASSES:

            settings.MIDDLEWARE_CLASSES += (flatpage_middleware_class,)

        self.old_TEMPLATE_DIRS = settings.TEMPLATE_DIRS

        settings.TEMPLATE_DIRS = (

            os.path.join(

                os.path.dirname(__file__),

                'templates'

            ),

        )



    def tearDown(self):

        settings.MIDDLEWARE_CLASSES = self.old_MIDDLEWARE_CLASSES

        settings.TEMPLATE_DIRS = self.old_TEMPLATE_DIRS



    def test_view_flatpage(self):

        "A flatpage can be served through a view, even when the middleware is in use"

        response = self.client.get('/flatpage_root/flatpage/')

        self.assertEquals(response.status_code, 200)

        self.assertContains(response, "<p>Isn't it flat!</p>")



    def test_view_non_existent_flatpage(self):

        "A non-existent flatpage raises 404 when served through a view, even when the middleware is in use"

        response = self.client.get('/flatpage_root/no_such_flatpage/')

        self.assertEquals(response.status_code, 404)



    def test_view_authenticated_flatpage(self):

        "A flatpage served through a view can require authentication"

        response = self.client.get('/flatpage_root/sekrit/')

        self.assertRedirects(response, '/accounts/login/?next=/flatpage_root/sekrit/')



    def test_fallback_flatpage(self):

        "A flatpage can be served by the fallback middlware"

        response = self.client.get('/flatpage/')

        self.assertEquals(response.status_code, 200)

        self.assertContains(response, "<p>Isn't it flat!</p>")



    def test_fallback_non_existent_flatpage(self):

        "A non-existent flatpage raises a 404 when served by the fallback middlware"

        response = self.client.get('/no_such_flatpage/')

        self.assertEquals(response.status_code, 404)



    def test_fallback_authenticated_flatpage(self):

        "A flatpage served by the middleware can require authentication"

        response = self.client.get('/sekrit/')

        self.assertRedirects(response, '/accounts/login/?next=/sekrit/')

django/contrib/flatpages/tests/templates/404.html

0 → 100644
+1 −0
Original line number Diff line number Diff line 
<h1>Oh Noes!</h1>
 
 No newline at end of file