[PATCH] Just add a comment on settings.py with instructions to enable CSRF protection on Django 1.1

Guilherme Salgado guilherme.salgado at linaro.org
Thu Apr 7 23:45:17 EST 2011


On Wed, 2011-04-06 at 13:20 -0300, Guilherme Salgado wrote:
> On Wed, 2011-04-06 at 12:28 -0300, Guilherme Salgado wrote:
> > Signed-off-by: Guilherme Salgado <guilherme.salgado at linaro.org>
> > ---
> >  apps/settings.py |    3 +++
> >  1 files changed, 3 insertions(+), 0 deletions(-)
> > 
> > diff --git a/apps/settings.py b/apps/settings.py
> > index 68837b3..10813d4 100644
> > --- a/apps/settings.py
> > +++ b/apps/settings.py
> > @@ -63,6 +63,9 @@ MIDDLEWARE_CLASSES = (
> >      'django.contrib.auth.middleware.AuthenticationMiddleware',
> >      'django.middleware.doc.XViewMiddleware',
> >      'django.middleware.csrf.CsrfViewMiddleware',
> > +    # If using Django 1.1, instead of the line above you'll need:
> > +    # 'django.contrib.csrf.CsrfViewMiddleware',
> > +    # 'django.contrib.csrf.CsrfResponseMiddleware',
> 
> In fact, this should've been 'django.contrib.csrf.middleware.Csrf...',
> but although it should be enough to provide CSRF protection on Django
> 1.1 it doesn't seem to be enough to make Patchwork run on top of Django
> 1.1 because the templates use the 'csrf_token' tag, which is not
> available in 1.1.

1.1.2 seems to have a noop csrf_token tag, so you can either use that or
do something similar to http://code.djangoproject.com/changeset/11674 as
a monkey patch from within your app code.

This seems to be enough to get Patchwork to run on 1.1, but there are
several test failures which are not obvious to me, so they might indeed
represent things that are broken when running on 1.1.  This is one
example:

FAIL: testStateChangeInvalid
(patchwork.tests.updates.MultipleUpdateTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/srv/patchwork/apps/patchwork/tests/updates.py", line 93, in
testStateChangeInvalid
    response = self._testStateChange(state)
  File "/srv/patchwork/apps/patchwork/tests/updates.py", line 80, in
_testStateChange
    status_code = 200)
  File "/usr/lib/pymodules/python2.6/django/test/testcases.py", line
336, in assertContains
    (response.status_code, status_code))
AssertionError: Couldn't retrieve page: Response code was 403 (expected
200)'



-- 
Guilherme Salgado <https://launchpad.net/~salgado>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.ozlabs.org/pipermail/patchwork/attachments/20110407/d6bbac28/attachment.pgp>


More information about the Patchwork mailing list