CSRF protection was split from Security app.

misago/security/csrf.py → misago/csrf/__init__.py

@@ -1,5 +1,3 @@
-from django import forms
-
 class CSRFProtection(object):
     def __init__(self, csrf_token):
         self.csrf_id = '_csrf_token'

misago/csrf/context_processors.py

@@ -0,0 +1,7 @@
+def csrf(request):
+    if request.user.is_crawler():
+        return {}
+    return {
+        'csrf_id': request.csrf.csrf_id,
+        'csrf_token': request.csrf.csrf_token,
+    }

misago/csrf/middleware.py

@@ -0,0 +1,13 @@
+from misago.security import get_random_string
+from misago.csrf import CSRFProtection
+
+class CSRFMiddleware(object):
+    def process_request(self, request):
+        if request.user.is_crawler():
+            return None
+        if 'csrf_token' in request.session:
+            csrf_token = request.session['csrf_token']
+        else:
+            csrf_token = get_random_string(16);
+            request.session['csrf_token'] = csrf_token
+        request.csrf = CSRFProtection(csrf_token)

misago/security/context_processors.py

@@ -2,7 +2,5 @@ def security(request):
     if request.user.is_crawler():
         return {}
     return {
-        'csrf_id': request.csrf.csrf_id,
-        'csrf_token': request.csrf.csrf_token,
         'is_jammed': request.jam.is_jammed(),
     }

misago/security/middleware.py

@@ -1,6 +1,4 @@
 from django.conf import settings
-from misago.security import get_random_string
-from misago.security.csrf import CSRFProtection
 from misago.security.firewalls import *
 from misago.security.models import JamCache
 from misago.themes.theme import Theme
@@ -29,15 +27,4 @@ class JamMiddleware(object):
             request.jam = JamCache()
             request.session['jam'] = request.jam
         if not request.firewall.admin:
-            request.jam.check_for_updates(request)
-
-class CSRFMiddleware(object):
-    def process_request(self, request):
-        if request.user.is_crawler():
-            return None
-        if 'csrf_token' in request.session:
-            csrf_token = request.session['csrf_token']
-        else:
-            csrf_token = get_random_string(16);
-            request.session['csrf_token'] = csrf_token
-        request.csrf = CSRFProtection(csrf_token)
+            request.jam.check_for_updates(request)

misago/settings_base.py

@@ -56,6 +56,7 @@ TEMPLATE_CONTEXT_PROCESSORS = (
     'misago.monitor.context_processors.monitor',
     'misago.settings.context_processors.settings',
     'misago.security.context_processors.security',
+    'misago.csrf.context_processors.csrf',
     'misago.users.context_processors.user',
 )
 
@@ -108,6 +109,7 @@ INSTALLED_APPS = (
     'misago.stats', # Admin statistics generator
     'misago.security', # Security: CSRF, Firewall, etc ect
     'misago.sessions', # Sessions
+    'misago.csrf', # Cross Site Request Forgery protection
     'misago.setup', # Installation/update tool
     'misago.template', # Templates extensions
     'misago.themes', # Themes