1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
from django.http import HttpResponse
from django.middleware.csrf import get_token, rotate_token
from django.template import Context, RequestContext, Template
from django.template.context_processors import csrf
from django.utils.decorators import decorator_from_middleware
from django.utils.deprecation import MiddlewareMixin
from django.views.decorators.csrf import csrf_protect, ensure_csrf_cookie
class TestingHttpResponse(HttpResponse):
"""
A version of HttpResponse that stores what cookie values are passed to
set_cookie() when CSRF_USE_SESSIONS=False.
"""
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
# This is a list of the cookie values passed to set_cookie() over
# the course of the request-response.
self._cookies_set = []
def set_cookie(self, key, value, **kwargs):
super().set_cookie(key, value, **kwargs)
self._cookies_set.append(value)
class _CsrfCookieRotator(MiddlewareMixin):
def process_response(self, request, response):
rotate_token(request)
return response
csrf_rotating_token = decorator_from_middleware(_CsrfCookieRotator)
@csrf_protect
def protected_view(request):
return HttpResponse("OK")
@ensure_csrf_cookie
def ensure_csrf_cookie_view(request):
return HttpResponse("OK")
@csrf_protect
@ensure_csrf_cookie
def ensured_and_protected_view(request):
return TestingHttpResponse("OK")
@csrf_protect
@csrf_rotating_token
@ensure_csrf_cookie
def sandwiched_rotate_token_view(request):
"""
This is a view that calls rotate_token() in process_response() between two
calls to CsrfViewMiddleware.process_response().
"""
return TestingHttpResponse("OK")
def post_form_view(request):
"""Return a POST form (without a token)."""
return HttpResponse(
content="""
<html>
<body><h1>\u00a1Unicode!<form method="post"><input type="text"></form></body>
</html>
"""
)
def token_view(request):
context = RequestContext(request, processors=[csrf])
template = Template("{% csrf_token %}")
return HttpResponse(template.render(context))
def non_token_view_using_request_processor(request):
"""Use the csrf view processor instead of the token."""
context = RequestContext(request, processors=[csrf])
template = Template("")
return HttpResponse(template.render(context))
def csrf_token_error_handler(request, **kwargs):
"""This error handler accesses the CSRF token."""
template = Template(get_token(request))
return HttpResponse(template.render(Context()), status=599)
|
