Removed Django 1.2 compatibility fallback for form wizard hash (fa4bbfcb) · Commits · Dom Sekotill / django

django/contrib/formtools/tests/init.py

+1 −38

Original line number	Diff line number	Diff line
		@@ -249,14 +249,6 @@ class WizardClass(wizard.FormWizard):
		return http.HttpResponse(success_string)


		class UserSecuredWizardClass(WizardClass):
		"""
		Wizard with a custum security_hash method
		"""
		def security_hash(self, request, form):
		return "123"


		class DummyRequest(http.HttpRequest):

		def __init__(self, POST=None):
		@@ -310,36 +302,7 @@ class WizardTests(TestCase):
		"wizard_step": "1"})
		self.assertEqual(0, response.context['step0'])

		def test_good_hash_django12(self):
		"""
		Form should advance if the hash is present and good, as calculated using
		django 1.2 method.
		"""
		# We are hard-coding a hash value here, but that is OK, since we want to
		# ensure that we don't accidentally change the algorithm.
		data = {"0-field": "test",
		"1-field": "test2",
		"hash_0": "2fdbefd4c0cad51509478fbacddf8b13",
		"wizard_step": "1"}
		response = self.client.post('/wizard/', data)
		self.assertEqual(2, response.context['step0'])

		def test_good_hash_django12_subclass(self):
		"""
		The Django 1.2 method of calulating hashes should not be used as a
		fallback if the FormWizard subclass has provided their own method
		of calculating a hash.
		"""
		# We are hard-coding a hash value here, but that is OK, since we want to
		# ensure that we don't accidentally change the algorithm.
		data = {"0-field": "test",
		"1-field": "test2",
		"hash_0": "2fdbefd4c0cad51509478fbacddf8b13",
		"wizard_step": "1"}
		response = self.client.post('/wizard2/', data)
		self.assertEqual(0, response.context['step0'])

		def test_good_hash_current(self):
		def test_good_hash(self):
		"""
		Form should advance if the hash is present and good, as calculated using
		current method.

django/contrib/formtools/tests/urls.py

+0 −3

Original line number	Diff line number	Diff line
		@@ -11,7 +11,4 @@ urlpatterns = patterns('',
		(r'^wizard/$', WizardClass([WizardPageOneForm,
		WizardPageTwoForm,
		WizardPageThreeForm])),
		(r'^wizard2/$', UserSecuredWizardClass([WizardPageOneForm,
		WizardPageTwoForm,
		WizardPageThreeForm]))
		)

django/contrib/formtools/wizard.py

+2 −19

Original line number	Diff line number	Diff line
		@@ -11,7 +11,7 @@ except ImportError:

		from django import forms
		from django.conf import settings
		from django.contrib.formtools.utils import security_hash, form_hmac
		from django.contrib.formtools.utils import form_hmac
		from django.http import Http404
		from django.shortcuts import render_to_response
		from django.template.context import RequestContext
		@@ -58,24 +58,7 @@ class FormWizard(object):

		def _check_security_hash(self, token, request, form):
		expected = self.security_hash(request, form)
		if constant_time_compare(token, expected):
		return True
		else:
		# Fall back to Django 1.2 method, for compatibility with forms that
		# are in the middle of being used when the upgrade occurs. However,
		# we don't want to do this fallback if a subclass has provided their
		# own security_hash method - because they might have implemented a
		# more secure method, and this would punch a hole in that.

		# PendingDeprecationWarning <- left here to remind us that this
		# compatibility fallback should be removed in Django 1.5
		FormWizard_expected = FormWizard.security_hash(self, request, form)
		if expected == FormWizard_expected:
		# They didn't override security_hash, do the fallback:
		old_expected = security_hash(request, form)
		return constant_time_compare(token, old_expected)
		else:
		return False
		return constant_time_compare(token, expected)

		@method_decorator(csrf_protect)
		def __call__(self, request, args, *kwargs):