summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2011-03-30 17:34:26 +0000
committerLuke Plant <L.Plant.98@cantab.net>2011-03-30 17:34:26 +0000
commit8823021625785cbe8e9e2f4d6ff559fc4c8fa7c6 (patch)
tree473bdc9b7c644ab472da349246067127f2b1dd36 /tests
parent21ef64e34c1c84bd7beb07531694d3f22fc42ffd (diff)
Removed deprecated CsrfResponseMiddleware, and corresponding tests and docs
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15949 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'tests')
-rw-r--r--tests/regressiontests/csrf_tests/tests.py111
1 files changed, 11 insertions, 100 deletions
diff --git a/tests/regressiontests/csrf_tests/tests.py b/tests/regressiontests/csrf_tests/tests.py
index ba1760aa91..37a10044c4 100644
--- a/tests/regressiontests/csrf_tests/tests.py
+++ b/tests/regressiontests/csrf_tests/tests.py
@@ -3,7 +3,7 @@ import warnings
from django.test import TestCase
from django.http import HttpRequest, HttpResponse
-from django.middleware.csrf import CsrfMiddleware, CsrfViewMiddleware
+from django.middleware.csrf import CsrfViewMiddleware
from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt, requires_csrf_token
from django.core.context_processors import csrf
from django.conf import settings
@@ -16,11 +16,6 @@ def post_form_response():
""", mimetype="text/html")
return resp
-def post_form_response_non_html():
- resp = post_form_response()
- resp["Content-Type"] = "application/xml"
- return resp
-
def post_form_view(request):
"""A view that returns a POST form (without a token)"""
return post_form_response()
@@ -54,7 +49,7 @@ class TestingHttpRequest(HttpRequest):
def is_secure(self):
return getattr(self, '_is_secure', False)
-class CsrfMiddlewareTest(TestCase):
+class CsrfViewMiddlewareTest(TestCase):
# The csrf token is potentially from an untrusted source, so could have
# characters that need dealing with.
_csrf_id_cookie = "<1>\xc2\xa1"
@@ -94,51 +89,12 @@ class CsrfMiddlewareTest(TestCase):
def _check_token_present(self, response, csrf_id=None):
self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % (csrf_id or self._csrf_id))
- # Check the post processing and outgoing cookie
- def test_process_response_no_csrf_cookie(self):
- """
- When no prior CSRF cookie exists, check that the cookie is created and a
- token is inserted.
- """
- req = self._get_GET_no_csrf_cookie_request()
- CsrfMiddleware().process_view(req, post_form_view, (), {})
-
- resp = post_form_response()
- resp_content = resp.content # needed because process_response modifies resp
- resp2 = CsrfMiddleware().process_response(req, resp)
-
- csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
- self.assertNotEqual(csrf_cookie, False)
- self.assertNotEqual(resp_content, resp2.content)
- self._check_token_present(resp2, csrf_cookie.value)
- # Check the Vary header got patched correctly
- self.assertTrue('Cookie' in resp2.get('Vary',''))
-
- def test_process_response_for_exempt_view(self):
+ def test_process_response_get_token_used(self):
"""
- Check that a view decorated with 'csrf_view_exempt' is still
- post-processed to add the CSRF token.
+ When get_token is used, check that the cookie is created and headers
+ patched.
"""
req = self._get_GET_no_csrf_cookie_request()
- CsrfMiddleware().process_view(req, csrf_view_exempt(post_form_view), (), {})
-
- resp = post_form_response()
- resp_content = resp.content # needed because process_response modifies resp
- resp2 = CsrfMiddleware().process_response(req, resp)
-
- csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
- self.assertNotEqual(csrf_cookie, False)
- self.assertNotEqual(resp_content, resp2.content)
- self._check_token_present(resp2, csrf_cookie.value)
-
- def test_process_response_no_csrf_cookie_view_only_get_token_used(self):
- """
- When no prior CSRF cookie exists, check that the cookie is created, even
- if only CsrfViewMiddleware is used.
- """
- # This is checking that CsrfViewMiddleware has the cookie setting
- # code. Most of the other tests use CsrfMiddleware.
- req = self._get_GET_no_csrf_cookie_request()
# token_view calls get_token() indirectly
CsrfViewMiddleware().process_view(req, token_view, (), {})
resp = token_view(req)
@@ -146,6 +102,7 @@ class CsrfMiddlewareTest(TestCase):
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.assertNotEqual(csrf_cookie, False)
+ self.assertTrue('Cookie' in resp2.get('Vary',''))
def test_process_response_get_token_not_used(self):
"""
@@ -167,43 +124,6 @@ class CsrfMiddlewareTest(TestCase):
csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
self.assertEqual(csrf_cookie, False)
- def test_process_response_existing_csrf_cookie(self):
- """
- Check that the token is inserted when a prior CSRF cookie exists
- """
- req = self._get_GET_csrf_cookie_request()
- CsrfMiddleware().process_view(req, post_form_view, (), {})
-
- resp = post_form_response()
- resp_content = resp.content # needed because process_response modifies resp
- resp2 = CsrfMiddleware().process_response(req, resp)
- self.assertNotEqual(resp_content, resp2.content)
- self._check_token_present(resp2)
-
- def test_process_response_non_html(self):
- """
- Check the the post-processor does nothing for content-types not in _HTML_TYPES.
- """
- req = self._get_GET_no_csrf_cookie_request()
- CsrfMiddleware().process_view(req, post_form_view, (), {})
- resp = post_form_response_non_html()
- resp_content = resp.content # needed because process_response modifies resp
- resp2 = CsrfMiddleware().process_response(req, resp)
- self.assertEqual(resp_content, resp2.content)
-
- def test_process_response_exempt_view(self):
- """
- Check that no post processing is done for an exempt view
- """
- req = self._get_GET_csrf_cookie_request()
- view = csrf_exempt(post_form_view)
- CsrfMiddleware().process_view(req, view, (), {})
-
- resp = view(req)
- resp_content = resp.content
- resp2 = CsrfMiddleware().process_response(req, resp)
- self.assertEqual(resp_content, resp2.content)
-
# Check the request processing
def test_process_request_no_csrf_cookie(self):
"""
@@ -211,7 +131,7 @@ class CsrfMiddlewareTest(TestCase):
incoming request. This will stop login CSRF.
"""
req = self._get_POST_no_csrf_cookie_request()
- req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
+ req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertEqual(403, req2.status_code)
def test_process_request_csrf_cookie_no_token(self):
@@ -220,7 +140,7 @@ class CsrfMiddlewareTest(TestCase):
rejects the incoming request.
"""
req = self._get_POST_csrf_cookie_request()
- req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
+ req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertEqual(403, req2.status_code)
def test_process_request_csrf_cookie_and_token(self):
@@ -228,7 +148,7 @@ class CsrfMiddlewareTest(TestCase):
Check that if both a cookie and a token is present, the middleware lets it through.
"""
req = self._get_POST_request_with_token()
- req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
+ req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertEqual(None, req2)
def test_process_request_csrf_cookie_no_token_exempt_view(self):
@@ -237,7 +157,7 @@ class CsrfMiddlewareTest(TestCase):
decorator has been applied to the view, the middleware lets it through
"""
req = self._get_POST_csrf_cookie_request()
- req2 = CsrfMiddleware().process_view(req, csrf_exempt(post_form_view), (), {})
+ req2 = CsrfViewMiddleware().process_view(req, csrf_exempt(post_form_view), (), {})
self.assertEqual(None, req2)
def test_csrf_token_in_header(self):
@@ -246,7 +166,7 @@ class CsrfMiddlewareTest(TestCase):
"""
req = self._get_POST_csrf_cookie_request()
req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
- req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
+ req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
self.assertEqual(None, req2)
# Tests for the template tag method
@@ -307,15 +227,6 @@ class CsrfMiddlewareTest(TestCase):
csrf_cookie = resp2.cookies[settings.CSRF_COOKIE_NAME]
self._check_token_present(resp, csrf_id=csrf_cookie.value)
- def test_response_middleware_without_view_middleware(self):
- """
- Check that CsrfResponseMiddleware finishes without error if the view middleware
- has not been called, as is the case if a request middleware returns a response.
- """
- req = self._get_GET_no_csrf_cookie_request()
- resp = post_form_view(req)
- CsrfMiddleware().process_response(req, resp)
-
def test_https_bad_referer(self):
"""
Test that a POST HTTPS request with a bad referer is rejected