mirror of
https://github.com/encode/django-rest-framework.git
synced 2024-11-25 11:04:02 +03:00
Fix CSRF cookie check failure when using session auth with django 1.11.6+ (#6113)
Test included. Fixes #6088
This commit is contained in:
parent
2fab7838ef
commit
81fa4b4f75
|
@ -135,7 +135,10 @@ class SessionAuthentication(BaseAuthentication):
|
|||
"""
|
||||
Enforce CSRF validation for session based authentication.
|
||||
"""
|
||||
reason = CSRFCheck().process_view(request, None, (), {})
|
||||
check = CSRFCheck()
|
||||
# populates request.META['CSRF_COOKIE'], which is used in process_view()
|
||||
check.process_request(request)
|
||||
reason = check.process_view(request, None, (), {})
|
||||
if reason:
|
||||
# CSRF failed, bail with explicit error message
|
||||
raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
|
||||
|
|
|
@ -5,6 +5,7 @@ from __future__ import unicode_literals
|
|||
import base64
|
||||
|
||||
import pytest
|
||||
from django.conf import settings
|
||||
from django.conf.urls import include, url
|
||||
from django.contrib.auth.models import User
|
||||
from django.db import models
|
||||
|
@ -202,6 +203,26 @@ class SessionAuthTests(TestCase):
|
|||
response = self.csrf_client.post('/session/', {'example': 'example'})
|
||||
assert response.status_code == status.HTTP_403_FORBIDDEN
|
||||
|
||||
def test_post_form_session_auth_passing_csrf(self):
|
||||
"""
|
||||
Ensure POSTing form over session authentication with CSRF token succeeds.
|
||||
Regression test for #6088
|
||||
"""
|
||||
from django.middleware.csrf import _get_new_csrf_token
|
||||
|
||||
self.csrf_client.login(username=self.username, password=self.password)
|
||||
|
||||
# Set the csrf_token cookie so that CsrfViewMiddleware._get_token() works
|
||||
token = _get_new_csrf_token()
|
||||
self.csrf_client.cookies[settings.CSRF_COOKIE_NAME] = token
|
||||
|
||||
# Post the token matching the cookie value
|
||||
response = self.csrf_client.post('/session/', {
|
||||
'example': 'example',
|
||||
'csrfmiddlewaretoken': token,
|
||||
})
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
|
||||
def test_post_form_session_auth_passing(self):
|
||||
"""
|
||||
Ensure POSTing form over session authentication with logged in
|
||||
|
|
Loading…
Reference in New Issue
Block a user