diff options
| -rw-r--r-- | django/views/csrf.py | 10 | ||||
| -rw-r--r-- | tests/view_tests/tests/test_csrf.py | 13 |
2 files changed, 17 insertions, 6 deletions
diff --git a/django/views/csrf.py b/django/views/csrf.py index aa227d3b6e..9ab9c44171 100644 --- a/django/views/csrf.py +++ b/django/views/csrf.py @@ -1,6 +1,6 @@ from django.conf import settings from django.http import HttpResponseForbidden -from django.template import Context, Template +from django.template import Context, Engine from django.utils.translation import ugettext as _ from django.utils.version import get_docs_version @@ -67,9 +67,9 @@ CSRF_FAILURE_TEMPLATE = """ <ul> <li>Your browser is accepting cookies.</li> - <li>The view function uses <a - href="https://docs.djangoproject.com/en/{{ docs_version }}/ref/templates/api/#subclassing-context-requestcontext"><code>RequestContext</code></a> - for the template, instead of <code>Context</code>.</li> + <li>The view function passes a <code>request</code> to the template's <a + href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a> + method.</li> <li>In the template, there is a <code>{% templatetag openblock %} csrf_token {% templatetag closeblock %}</code> template tag inside each POST form that @@ -102,7 +102,7 @@ def csrf_failure(request, reason=""): Default view used when request fails CSRF protection """ from django.middleware.csrf import REASON_NO_REFERER, REASON_NO_CSRF_COOKIE - t = Template(CSRF_FAILURE_TEMPLATE) + t = Engine().from_string(CSRF_FAILURE_TEMPLATE) c = Context({ 'title': _("Forbidden"), 'main': _("CSRF verification failed. Request aborted."), diff --git a/tests/view_tests/tests/test_csrf.py b/tests/view_tests/tests/test_csrf.py index 4d82588f88..9baee9ce34 100644 --- a/tests/view_tests/tests/test_csrf.py +++ b/tests/view_tests/tests/test_csrf.py @@ -21,7 +21,6 @@ class CsrfViewTests(TestCase): """ Test that an invalid request is rejected with a localized error message. """ - response = self.client.post('/') self.assertContains(response, "Forbidden", status_code=403) self.assertContains(response, @@ -63,3 +62,15 @@ class CsrfViewTests(TestCase): "ensure that your browser is not being hijacked " "by third parties.", status_code=403) + + # In Django 2.0, this can be changed to TEMPLATES=[] because the code path + # that reads the TEMPLATE_* settings in that case will have been removed. + @override_settings(TEMPLATES=[{ + 'BACKEND': 'django.template.backends.dummy.TemplateStrings', + }]) + def test_no_django_template_engine(self): + """ + The CSRF view doesn't depend on the TEMPLATES configuration (#24388). + """ + response = self.client.post('/') + self.assertContains(response, "Forbidden", status_code=403) |
