Fixed #32800 -- Changed CsrfViewMiddleware not to mask the CSRF secret.

This also adds CSRF_COOKIE_MASKED transitional setting helpful in migrating multiple instance of the same project to Django 4.1+. Thanks Florian Apolloner and Shai Berger for reviews. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2025-10-24 06:06:09 +00:00 · 2021-08-17 09:13:13 -04:00
parent 05e29da421
commit 5d80843ebc
10 changed files with 284 additions and 143 deletions
--- a/tests/deprecation/test_csrf_cookie_masked.py
+++ b/tests/deprecation/test_csrf_cookie_masked.py
@@ -0,0 +1,30 @@
+import sys
+from types import ModuleType
+
+from django.conf import CSRF_COOKIE_MASKED_DEPRECATED_MSG, Settings, settings
+from django.test import SimpleTestCase
+from django.utils.deprecation import RemovedInDjango50Warning
+
+
+class CsrfCookieMaskedDeprecationTests(SimpleTestCase):
+    msg = CSRF_COOKIE_MASKED_DEPRECATED_MSG
+
+    def test_override_settings_warning(self):
+        with self.assertRaisesMessage(RemovedInDjango50Warning, self.msg):
+            with self.settings(CSRF_COOKIE_MASKED=True):
+                pass
+
+    def test_settings_init_warning(self):
+        settings_module = ModuleType('fake_settings_module')
+        settings_module.USE_TZ = False
+        settings_module.CSRF_COOKIE_MASKED = True
+        sys.modules['fake_settings_module'] = settings_module
+        try:
+            with self.assertRaisesMessage(RemovedInDjango50Warning, self.msg):
+                Settings('fake_settings_module')
+        finally:
+            del sys.modules['fake_settings_module']
+
+    def test_access(self):
+        # Warning is not raised on access.
+        self.assertEqual(settings.CSRF_COOKIE_MASKED, False)