|
1 # -*- coding: utf-8 -*- |
|
2 |
|
3 from django.test import TestCase |
|
4 from django.http import HttpRequest, HttpResponse, HttpResponseForbidden |
|
5 from django.contrib.csrf.middleware import CsrfMiddleware, _make_token, csrf_exempt |
|
6 from django.conf import settings |
|
7 |
|
8 |
|
9 def post_form_response(): |
|
10 resp = HttpResponse(content=""" |
|
11 <html><body><form method="POST"><input type="text" /></form></body></html> |
|
12 """, mimetype="text/html") |
|
13 return resp |
|
14 |
|
15 def test_view(request): |
|
16 return post_form_response() |
|
17 |
|
18 class CsrfMiddlewareTest(TestCase): |
|
19 |
|
20 _session_id = "1" |
|
21 |
|
22 def _get_GET_no_session_request(self): |
|
23 return HttpRequest() |
|
24 |
|
25 def _get_GET_session_request(self): |
|
26 req = self._get_GET_no_session_request() |
|
27 req.COOKIES[settings.SESSION_COOKIE_NAME] = self._session_id |
|
28 return req |
|
29 |
|
30 def _get_POST_session_request(self): |
|
31 req = self._get_GET_session_request() |
|
32 req.method = "POST" |
|
33 return req |
|
34 |
|
35 def _get_POST_no_session_request(self): |
|
36 req = self._get_GET_no_session_request() |
|
37 req.method = "POST" |
|
38 return req |
|
39 |
|
40 def _get_POST_session_request_with_token(self): |
|
41 req = self._get_POST_session_request() |
|
42 req.POST['csrfmiddlewaretoken'] = _make_token(self._session_id) |
|
43 return req |
|
44 |
|
45 def _get_post_form_response(self): |
|
46 return post_form_response() |
|
47 |
|
48 def _get_new_session_response(self): |
|
49 resp = self._get_post_form_response() |
|
50 resp.cookies[settings.SESSION_COOKIE_NAME] = self._session_id |
|
51 return resp |
|
52 |
|
53 def _check_token_present(self, response): |
|
54 self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % _make_token(self._session_id)) |
|
55 |
|
56 def get_view(self): |
|
57 return test_view |
|
58 |
|
59 # Check the post processing |
|
60 def test_process_response_no_session(self): |
|
61 """ |
|
62 Check the post-processor does nothing if no session active |
|
63 """ |
|
64 req = self._get_GET_no_session_request() |
|
65 resp = self._get_post_form_response() |
|
66 resp_content = resp.content # needed because process_response modifies resp |
|
67 resp2 = CsrfMiddleware().process_response(req, resp) |
|
68 self.assertEquals(resp_content, resp2.content) |
|
69 |
|
70 def test_process_response_existing_session(self): |
|
71 """ |
|
72 Check that the token is inserted if there is an existing session |
|
73 """ |
|
74 req = self._get_GET_session_request() |
|
75 resp = self._get_post_form_response() |
|
76 resp_content = resp.content # needed because process_response modifies resp |
|
77 resp2 = CsrfMiddleware().process_response(req, resp) |
|
78 self.assertNotEqual(resp_content, resp2.content) |
|
79 self._check_token_present(resp2) |
|
80 |
|
81 def test_process_response_new_session(self): |
|
82 """ |
|
83 Check that the token is inserted if there is a new session being started |
|
84 """ |
|
85 req = self._get_GET_no_session_request() # no session in request |
|
86 resp = self._get_new_session_response() # but new session started |
|
87 resp_content = resp.content # needed because process_response modifies resp |
|
88 resp2 = CsrfMiddleware().process_response(req, resp) |
|
89 self.assertNotEqual(resp_content, resp2.content) |
|
90 self._check_token_present(resp2) |
|
91 |
|
92 def test_process_response_exempt_view(self): |
|
93 """ |
|
94 Check that no post processing is done for an exempt view |
|
95 """ |
|
96 req = self._get_POST_session_request() |
|
97 resp = csrf_exempt(self.get_view())(req) |
|
98 resp_content = resp.content |
|
99 resp2 = CsrfMiddleware().process_response(req, resp) |
|
100 self.assertEquals(resp_content, resp2.content) |
|
101 |
|
102 # Check the request processing |
|
103 def test_process_request_no_session(self): |
|
104 """ |
|
105 Check that if no session is present, the middleware does nothing. |
|
106 to the incoming request. |
|
107 """ |
|
108 req = self._get_POST_no_session_request() |
|
109 req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {}) |
|
110 self.assertEquals(None, req2) |
|
111 |
|
112 def test_process_request_session_no_token(self): |
|
113 """ |
|
114 Check that if a session is present but no token, we get a 'forbidden' |
|
115 """ |
|
116 req = self._get_POST_session_request() |
|
117 req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {}) |
|
118 self.assertEquals(HttpResponseForbidden, req2.__class__) |
|
119 |
|
120 def test_process_request_session_and_token(self): |
|
121 """ |
|
122 Check that if a session is present and a token, the middleware lets it through |
|
123 """ |
|
124 req = self._get_POST_session_request_with_token() |
|
125 req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {}) |
|
126 self.assertEquals(None, req2) |
|
127 |
|
128 def test_process_request_session_no_token_exempt_view(self): |
|
129 """ |
|
130 Check that if a session is present and no token, but the csrf_exempt |
|
131 decorator has been applied to the view, the middleware lets it through |
|
132 """ |
|
133 req = self._get_POST_session_request() |
|
134 req2 = CsrfMiddleware().process_view(req, csrf_exempt(self.get_view()), (), {}) |
|
135 self.assertEquals(None, req2) |
|
136 |
|
137 def test_ajax_exemption(self): |
|
138 """ |
|
139 Check that AJAX requests are automatically exempted. |
|
140 """ |
|
141 req = self._get_POST_session_request() |
|
142 req.META['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest' |
|
143 req2 = CsrfMiddleware().process_view(req, self.get_view(), (), {}) |
|
144 self.assertEquals(None, req2) |