Home Explore Help
Sign In
221V
/
Misago
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #1220 from rafalp/fix-ajax-csrf-error

Fix crash in AJAX CSRF error handler
Rafał Pitoń 6 years ago
parent
614ae2dc21 4ae50ae4f4
commit
2b370a9450
3 changed files with 22 additions and 6 deletions
Unified View Show Diff Stats
  1. 10 4
      misago/core/errorpages.py
  2. 11 1
      misago/core/tests/test_errorpages.py
  3. 1 1
      misago/templates/misago/admin/errorpages/csrf_failure_message.html

+ 10 - 4
misago/core/errorpages.py
View File 

@@ -107,11 +107,17 @@ def social_auth_failed(request, exception):
 
 @admin_csrf_failure
 
 @admin_csrf_failure
 
 def csrf_failure(request, reason=""):
 
 def csrf_failure(request, reason=""):
 
     if request.is_ajax():
 
     if request.is_ajax():
 
-        return _ajax_error(403, _("Request authentication is invalid."))
 
+        return JsonResponse(
 
+            {
 
+                "detail": _(
 
+                    "Your request was rejected because your browser didn't "
 
+                    "send the CSRF cookie, or the cookie sent was invalid."
 
+                )
 
+            },
 
+            status=403,
 
+        )
 
 
 
-    response = render(request, "misago/errorpages/csrf_failure.html")
 
-    response.status_code = 403
 
-    return response
 
+    return render(request, "misago/errorpages/csrf_failure.html", status=403)
 
 
 
 
 
 def not_allowed(request):
 
 def not_allowed(request):

+ 11 - 1
misago/core/tests/test_errorpages.py
View File 

@@ -13,12 +13,22 @@ from ..utils import encode_json_html
 
 
 
 
 
 class CSRFErrorViewTests(TestCase):
 
 class CSRFErrorViewTests(TestCase):
 
-    def test_csrf_failure(self):
 
+    def test_csrf_failure_is_handled(self):
 
         """csrf_failure error page has no show-stoppers"""
 
         """csrf_failure error page has no show-stoppers"""
 
         csrf_client = Client(enforce_csrf_checks=True)
 
         csrf_client = Client(enforce_csrf_checks=True)
 
         response = csrf_client.post(reverse("misago:index"), data={"eric": "fish"})
 
         response = csrf_client.post(reverse("misago:index"), data={"eric": "fish"})
 
         self.assertContains(response, "Request blocked", status_code=403)
 
         self.assertContains(response, "Request blocked", status_code=403)
 
 
 
+    def test_ajax_csrf_failure_is_handled(self):
 
+        """csrf_failure error ajax response has no show-stoppers"""
 
+        csrf_client = Client(enforce_csrf_checks=True)
 
+        response = csrf_client.post(
 
+            reverse("misago:api:auth"),
 
+            data={"eric": "fish"},
 
+            HTTP_X_REQUESTED_WITH="XMLHttpRequest",
 
+        )
 
+        self.assertContains(response, "CSRF cookie", status_code=403)
 
+
 
 
 
 @override_settings(ROOT_URLCONF="misago.core.testproject.urls")
 
 @override_settings(ROOT_URLCONF="misago.core.testproject.urls")
 
 class ErrorPageViewsTests(TestCase):
 
 class ErrorPageViewsTests(TestCase):

+ 1 - 1
misago/templates/misago/admin/errorpages/csrf_failure_message.html
View File 

@@ -1,6 +1,6 @@
 
 {% load i18n %}
 
 {% load i18n %}
 
 <p>
 
 <p>
 
-  {% trans "Your form submission was rejected because you've browser didn't send the CSRF cookie, or the cookie sent was invalid." %}
 
+  {% trans "Your form submission was rejected because your browser didn't send the CSRF cookie, or the cookie sent was invalid." %}
 
 </p>
 
 </p>
 
 <p>
 
 <p>
 
   {% trans "This is usually a result of one of following problems:" %}
 
   {% trans "This is usually a result of one of following problems:" %}