django-rest-framework/tests/test_templates.py

import re

from django.shortcuts import render


def test_base_template_with_no_context():
    # base.html should be renderable with no context,
    # so it can be easily extended.
    result = render({}, 'rest_framework/base.html')
    # note that this response will not include a valid CSRF token
    assert re.search(r'\bcsrfToken: ""', result.content.decode())


def test_base_template_with_simple_context():
    context = {'request': True, 'csrf_token': 'TOKEN'}
    result = render({}, 'rest_framework/base.html', context=context)
    # note that response will STILL not include a CSRF token
    assert re.search(r'\bcsrfToken: ""', result.content.decode())


def test_base_template_with_editing_context():
    context = {'request': True, 'post_form': object(), 'csrf_token': 'TOKEN'}
    result = render({}, 'rest_framework/base.html', context=context)
    # response includes a CSRF token in support of the POST form
    assert re.search(r'\bcsrfToken: "TOKEN"', result.content.decode())
Made templates compatible with session-based CSRF. (#6207) 2019-02-19 14:15:03 +03:00			`import re`

Fixed AttributeError from items filter when value is None (#5981) 2018-05-11 09:50:08 +03:00			`from django.shortcuts import render`


			`def test_base_template_with_no_context():`
			`# base.html should be renderable with no context,`
			`# so it can be easily extended.`
Made templates compatible with session-based CSRF. (#6207) 2019-02-19 14:15:03 +03:00			`result = render({}, 'rest_framework/base.html')`
			`# note that this response will not include a valid CSRF token`
Drop default 'utf-8' to .encode()/.decode() (#6633) A Python 3 cleanup that allows for less noise in the code. https://docs.python.org/3/library/stdtypes.html#bytes.decode https://docs.python.org/3/library/stdtypes.html#str.encode 2019-05-01 08:49:17 +03:00			`assert re.search(r'\bcsrfToken: ""', result.content.decode())`
made Browsable API base template cachable: omit CSRF token when unnecessary (#7717) HTML responses generated by the Browsable API otherwise generate inconsistent ETAGs -- due to the presence of CSRF tokens in the response -- even when the API is read-only, (and as such when the response contains no resource-modifying forms, i.e. neither POST nor PUT forms, which might require the CSRF token). While the template was appropriately including CSRF tokens only within POST and PUT forms, its AJAX overlay included the CSRF token in every response, regardless of whether it would be needed. This change brings the logic of the `script` block into line with that of the rest of the template -- and such that read-only APIs (and really the Browsable API pages of any read-only resources) will not needlessly include the CSRF token, and will now be safely cachable -- by both back-end systems and by the user agent. 2021-03-16 16:25:21 +03:00

			`def test_base_template_with_simple_context():`
			`context = {'request': True, 'csrf_token': 'TOKEN'}`
			`result = render({}, 'rest_framework/base.html', context=context)`
			`# note that response will STILL not include a CSRF token`
			`assert re.search(r'\bcsrfToken: ""', result.content.decode())`


			`def test_base_template_with_editing_context():`
			`context = {'request': True, 'post_form': object(), 'csrf_token': 'TOKEN'}`
			`result = render({}, 'rest_framework/base.html', context=context)`
			`# response includes a CSRF token in support of the POST form`
			`assert re.search(r'\bcsrfToken: "TOKEN"', result.content.decode())`