Fixed #32800 -- Changed CsrfViewMiddleware not to mask the CSRF secret.

This also adds CSRF_COOKIE_MASKED transitional setting helpful in
migrating multiple instance of the same project to Django 4.1+.

Thanks Florian Apolloner and Shai Berger for reviews.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>

1 files changed, 30 insertions, 0 deletions

diff --git a/tests/deprecation/test_csrf_cookie_masked.py b/tests/deprecation/test_csrf_cookie_masked.py
new file mode 100644
index 0000000000..74592fd0b7
--- /dev/null
+++ b/tests/deprecation/test_csrf_cookie_masked.py
@@ -0,0 +1,30 @@
+import sys
+from types import ModuleType
+
+from django.conf import CSRF_COOKIE_MASKED_DEPRECATED_MSG, Settings, settings
+from django.test import SimpleTestCase
+from django.utils.deprecation import RemovedInDjango50Warning
+
+
+class CsrfCookieMaskedDeprecationTests(SimpleTestCase):
+    msg = CSRF_COOKIE_MASKED_DEPRECATED_MSG
+
+    def test_override_settings_warning(self):
+        with self.assertRaisesMessage(RemovedInDjango50Warning, self.msg):
+            with self.settings(CSRF_COOKIE_MASKED=True):
+                pass
+
+    def test_settings_init_warning(self):
+        settings_module = ModuleType('fake_settings_module')
+        settings_module.USE_TZ = False
+        settings_module.CSRF_COOKIE_MASKED = True
+        sys.modules['fake_settings_module'] = settings_module
+        try:
+            with self.assertRaisesMessage(RemovedInDjango50Warning, self.msg):
+                Settings('fake_settings_module')
+        finally:
+            del sys.modules['fake_settings_module']
+
+    def test_access(self):
+        # Warning is not raised on access.
+        self.assertEqual(settings.CSRF_COOKIE_MASKED, False)