Made templates compatible with session-based CSRF. (#6207)

rest_framework/static/rest_framework/js/csrf.js

@@ -38,7 +38,7 @@ function sameOrigin(url) {
     !(/^(\/\/|http:|https:).*/.test(url));
 }
 
-var csrftoken = getCookie(window.drf.csrfCookieName);
+var csrftoken = window.drf.csrfToken;
 
 $.ajaxSetup({
   beforeSend: function(xhr, settings) {

rest_framework/templates/rest_framework/admin.html

@@ -247,7 +247,7 @@
         <script>
           window.drf = {
             csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}",
-            csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
+            csrfToken: "{{ csrf_token }}"
           };
         </script>
         <script src="{% static "rest_framework/js/jquery-3.3.1.min.js" %}"></script>

rest_framework/templates/rest_framework/base.html

@@ -290,7 +290,7 @@
       <script>
         window.drf = {
           csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}",
-          csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
+          csrfToken: "{% if request %}{{ csrf_token }}{% endif %}"
         };
       </script>
       <script src="{% static "rest_framework/js/jquery-3.3.1.min.js" %}"></script>

tests/test_templates.py

@@ -1,7 +1,17 @@
+import re
+
 from django.shortcuts import render
 
 
+def test_base_template_with_context():
+    context = {'request': True, 'csrf_token': 'TOKEN'}
+    result = render({}, 'rest_framework/base.html', context=context)
+    assert re.search(r'\bcsrfToken: "TOKEN"', result.content.decode('utf-8'))
+
+
 def test_base_template_with_no_context():
     # base.html should be renderable with no context,
     # so it can be easily extended.
-    render({}, 'rest_framework/base.html')
+    result = render({}, 'rest_framework/base.html')
+    # note that this response will not include a valid CSRF token
+    assert re.search(r'\bcsrfToken: ""', result.content.decode('utf-8'))