1 from django.http import HttpResponseForbidden

     2 from django.template import Context, Template

     3 from django.conf import settings

     4 

     5 # We include the template inline since we need to be able to reliably display

     6 # this error message, especially for the sake of developers, and there isn't any

     7 # other way of making it available independent of what is in the settings file.

     8 

     9 CSRF_FAILRE_TEMPLATE = """

    10 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

    11 <html lang="en">

    12 <head>

    13   <meta http-equiv="content-type" content="text/html; charset=utf-8">

    14   <meta name="robots" content="NONE,NOARCHIVE">

    15   <title>403 Forbidden</title>

    16   <style type="text/css">

    17     html * { padding:0; margin:0; }

    18     body * { padding:10px 20px; }

    19     body * * { padding:0; }

    20     body { font:small sans-serif; background:#eee; }

    21     body>div { border-bottom:1px solid #ddd; }

    22     h1 { font-weight:normal; margin-bottom:.4em; }

    23     h1 span { font-size:60%; color:#666; font-weight:normal; }

    24     #info { background:#f6f6f6; }

    25     #info ul { margin: 0.5em 4em; }

    26     #info p { padding-top:10px; }

    27     #summary { background: #ffc; }

    28     #explanation { background:#eee; border-bottom: 0px none; }

    29   </style>

    30 </head>

    31 <body>

    32 <div id="summary">

    33   <h1>Forbidden <span>(403)</span></h1>

    34   <p>CSRF verification failed. Request aborted.</p>

    35 </div>

    36 {% if DEBUG %}

    37 <div id="info">

    38   <h2>Help</h2>

    39     {% if reason %}

    40     <p>Reason given for failure:</p>

    41     <pre>

    42     {{ reason }}

    43     </pre>

    44     {% endif %}

    45 

    46   <p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when

    47   <a

    48   href='http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ref-contrib-csrf'>Django's

    49   CSRF mechanism</a> has not been used correctly.  For POST forms, you need to

    50   ensure:</p>

    51 

    52   <ul>

    53     <li>The view function uses <a

    54     href='http://docs.djangoproject.com/en/dev/ref/templates/api/#subclassing-context-requestcontext'><code>RequestContext</code></a>

    55     for the template, instead of <code>Context</code>.</li>

    56 

    57     <li>In the template, there is a <code>{% templatetag openblock %} csrf_token

    58     {% templatetag closeblock %}</code> template tag inside each POST form that

    59     targets an internal URL.</li>

    60 

    61     <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use

    62     <code>csrf_protect</code> on any views that use the <code>csrf_token</code>

    63     template tag, as well as those that accept the POST data.</li>

    64 

    65   </ul>

    66 

    67   <p>You're seeing the help section of this page because you have <code>DEBUG =

    68   True</code> in your Django settings file. Change that to <code>False</code>,

    69   and only the initial error message will be displayed.  </p>

    70 

    71   <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>

    72 </div>

    73 {% else %}

    74 <div id="explanation">

    75   <p><small>More information is available with DEBUG=True.</small></p>

    76 </div>

    77 {% endif %}

    78 </body>

    79 </html>

    80 """

    81 

    82 def csrf_failure(request, reason=""):

    83     """

    84     Default view used when request fails CSRF protection

    85     """

    86     t = Template(CSRF_FAILRE_TEMPLATE)

    87     c = Context({'DEBUG': settings.DEBUG,

    88                  'reason': reason})

    89     return HttpResponseForbidden(t.render(c), mimetype='text/html')