beware of views that logout the user

2011-04-20 18:05:16 -07:00 · 2011-04-20 18:05:16 -07:00 · 76acc509f1
--- a/session_csrf/init.py
+++ b/session_csrf/init.py
@ -1,7 +1,6 @@
 """CSRF protection without cookies."""
 import functools

-import django.core.context_processors
 from django.conf import settings
 from django.core.cache import cache
 from django.middleware import csrf as django_csrf
@ -91,7 +90,8 @@ def anonymous_csrf(f):
    """Decorator that assigns a CSRF token to an anonymous user."""
    @functools.wraps(f)
    def wrapper(request, *args, **kw):
-        if not request.user.is_authenticated():
+        anon = not request.user.is_authenticated()
+        if anon:
            if ANON_COOKIE in request.COOKIES:
                key = request.COOKIES[ANON_COOKIE]
                token = cache.get(key)
@ -101,7 +101,7 @@ def anonymous_csrf(f):
            cache.set(key, token, ANON_TIMEOUT)
            request.csrf_token = token
        response = f(request, *args, **kw)
-        if not request.user.is_authenticated():
+        if anon:
            # Set or reset the cache and cookie timeouts.
            response.set_cookie(ANON_COOKIE, key, max_age=ANON_TIMEOUT,
                                httponly=True)
--- a/session_csrf/tests.py
+++ b/session_csrf/tests.py
@ -3,12 +3,13 @@ from collections import namedtuple
 import django.test
 from django import http
 from django.conf.urls.defaults import patterns
+from django.contrib.auth import logout
 from django.contrib.auth.models import User
 from django.contrib.sessions.models import Session
+from django.core import signals
 from django.core.cache import cache
 from django.core.handlers.wsgi import WSGIRequest
 from django.db import close_connection
-from django.shortcuts import render
 from django.template import context

 import mock
@ -19,6 +20,7 @@ from session_csrf import CsrfMiddleware, anonymous_csrf
 urlpatterns = patterns('',
    ('^$', lambda r: http.HttpResponse()),
    ('^anon$', anonymous_csrf(lambda r: http.HttpResponse())),
+    ('^logout$', anonymous_csrf(lambda r: logout(r) or http.HttpResponse())),
 )


@ -209,6 +211,12 @@ class TestAnonymousCsrf(django.test.TestCase):
        self.assertIn('anoncsrf', response.cookies)
        self.assertEqual(response['Vary'], 'Cookie')

+    def test_anon_csrf_logout(self):
+        # Beware of views that logout the user.
+        self.login()
+        response = self.client.get('/logout')
+        self.assertEqual(response.status_code, 200)
+

 class ClientHandler(django.test.client.ClientHandler):
    """
@ -218,9 +226,6 @@ class ClientHandler(django.test.client.ClientHandler):
    """

    def __call__(self, environ):
-        from django.conf import settings
-        from django.core import signals
-
        # Set up middleware if needed. We couldn't do this earlier, because
        # settings weren't available.
        if self._request_middleware is None: