Fixed #24389 -- Isolated the CSRF view from the TEMPLATES setting.

Thanks uranusjr for the report and analysis.
2025-10-31 09:41:08 +00:00 · 2015-02-22 15:40:04 +01:00
parent eba6dff581
commit 88a5f17d25
2 changed files with 17 additions and 6 deletions
--- a/django/views/csrf.py
+++ b/django/views/csrf.py
@@ -1,6 +1,6 @@
 from django.conf import settings
 from django.http import HttpResponseForbidden
-from django.template import Context, Template
+from django.template import Context, Engine
 from django.utils.translation import ugettext as _
 from django.utils.version import get_docs_version

@@ -67,9 +67,9 @@ CSRF_FAILURE_TEMPLATE = """
  <ul>
    <li>Your browser is accepting cookies.</li>

-    <li>The view function uses <a
-    href="https://docs.djangoproject.com/en/{{ docs_version }}/ref/templates/api/#subclassing-context-requestcontext"><code>RequestContext</code></a>
-    for the template, instead of <code>Context</code>.</li>
+    <li>The view function passes a <code>request</code> to the template's <a
+    href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a>
+    method.</li>

    <li>In the template, there is a <code>{% templatetag openblock %} csrf_token
    {% templatetag closeblock %}</code> template tag inside each POST form that
@@ -102,7 +102,7 @@ def csrf_failure(request, reason=""):
    Default view used when request fails CSRF protection
    """
    from django.middleware.csrf import REASON_NO_REFERER, REASON_NO_CSRF_COOKIE
-    t = Template(CSRF_FAILURE_TEMPLATE)
+    t = Engine().from_string(CSRF_FAILURE_TEMPLATE)
    c = Context({
        'title': _("Forbidden"),
        'main': _("CSRF verification failed. Request aborted."),
--- a/tests/view_tests/tests/test_csrf.py
+++ b/tests/view_tests/tests/test_csrf.py
@@ -21,7 +21,6 @@ class CsrfViewTests(TestCase):
        """
        Test that an invalid request is rejected with a localized error message.
        """
-
        response = self.client.post('/')
        self.assertContains(response, "Forbidden", status_code=403)
        self.assertContains(response,
@@ -63,3 +62,15 @@ class CsrfViewTests(TestCase):
                            "ensure that your browser is not being hijacked "
                            "by third parties.",
                            status_code=403)
+
+    # In Django 2.0, this can be changed to TEMPLATES=[] because the code path
+    # that reads the TEMPLATE_* settings in that case will have been removed.
+    @override_settings(TEMPLATES=[{
+        'BACKEND': 'django.template.backends.dummy.TemplateStrings',
+    }])
+    def test_no_django_template_engine(self):
+        """
+        The CSRF view doesn't depend on the TEMPLATES configuration (#24388).
+        """
+        response = self.client.post('/')
+        self.assertContains(response, "Forbidden", status_code=403)