Coverage for /var/srv/projects/api.amasfac.comuna18.com/tmp/venv/lib/python3.9/site-packages/django/views/csrf.py: 40%

18 statements  

« prev     ^ index     » next       coverage.py v6.4.4, created at 2023-07-17 14:22 -0600

1from django.conf import settings 

2from django.http import HttpResponseForbidden 

3from django.template import Context, Engine, TemplateDoesNotExist, loader 

4from django.utils.translation import gettext as _ 

5from django.utils.version import get_docs_version 

6 

7# We include the template inline since we need to be able to reliably display 

8# this error message, especially for the sake of developers, and there isn't any 

9# other way of making it available independent of what is in the settings file. 

10 

11# Only the text appearing with DEBUG=False is translated. Normal translation 

12# tags cannot be used with this inline templates as makemessages would not be 

13# able to discover the strings. 

14 

15CSRF_FAILURE_TEMPLATE = """ 

16<!DOCTYPE html> 

17<html lang="en"> 

18<head> 

19 <meta http-equiv="content-type" content="text/html; charset=utf-8"> 

20 <meta name="robots" content="NONE,NOARCHIVE"> 

21 <title>403 Forbidden</title> 

22 <style type="text/css"> 

23 html * { padding:0; margin:0; } 

24 body * { padding:10px 20px; } 

25 body * * { padding:0; } 

26 body { font:small sans-serif; background:#eee; color:#000; } 

27 body>div { border-bottom:1px solid #ddd; } 

28 h1 { font-weight:normal; margin-bottom:.4em; } 

29 h1 span { font-size:60%; color:#666; font-weight:normal; } 

30 #info { background:#f6f6f6; } 

31 #info ul { margin: 0.5em 4em; } 

32 #info p, #summary p { padding-top:10px; } 

33 #summary { background: #ffc; } 

34 #explanation { background:#eee; border-bottom: 0px none; } 

35 </style> 

36</head> 

37<body> 

38<div id="summary"> 

39 <h1>{{ title }} <span>(403)</span></h1> 

40 <p>{{ main }}</p> 

41{% if no_referer %} 

42 <p>{{ no_referer1 }}</p> 

43 <p>{{ no_referer2 }}</p> 

44 <p>{{ no_referer3 }}</p> 

45{% endif %} 

46{% if no_cookie %} 

47 <p>{{ no_cookie1 }}</p> 

48 <p>{{ no_cookie2 }}</p> 

49{% endif %} 

50</div> 

51{% if DEBUG %} 

52<div id="info"> 

53 <h2>Help</h2> 

54 {% if reason %} 

55 <p>Reason given for failure:</p> 

56 <pre> 

57 {{ reason }} 

58 </pre> 

59 {% endif %} 

60 

61 <p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when 

62 <a 

63 href="https://docs.djangoproject.com/en/{{ docs_version }}/ref/csrf/">Django’s 

64 CSRF mechanism</a> has not been used correctly. For POST forms, you need to 

65 ensure:</p> 

66 

67 <ul> 

68 <li>Your browser is accepting cookies.</li> 

69 

70 <li>The view function passes a <code>request</code> to the template’s <a 

71 href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a> 

72 method.</li> 

73 

74 <li>In the template, there is a <code>{% templatetag openblock %} csrf_token 

75 {% templatetag closeblock %}</code> template tag inside each POST form that 

76 targets an internal URL.</li> 

77 

78 <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use 

79 <code>csrf_protect</code> on any views that use the <code>csrf_token</code> 

80 template tag, as well as those that accept the POST data.</li> 

81 

82 <li>The form has a valid CSRF token. After logging in in another browser 

83 tab or hitting the back button after a login, you may need to reload the 

84 page with the form, because the token is rotated after a login.</li> 

85 </ul> 

86 

87 <p>You’re seeing the help section of this page because you have <code>DEBUG = 

88 True</code> in your Django settings file. Change that to <code>False</code>, 

89 and only the initial error message will be displayed. </p> 

90 

91 <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p> 

92</div> 

93{% else %} 

94<div id="explanation"> 

95 <p><small>{{ more }}</small></p> 

96</div> 

97{% endif %} 

98</body> 

99</html> 

100""" # NOQA 

101CSRF_FAILURE_TEMPLATE_NAME = "403_csrf.html" 

102 

103 

104def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME): 

105 """ 

106 Default view used when request fails CSRF protection 

107 """ 

108 from django.middleware.csrf import REASON_NO_CSRF_COOKIE, REASON_NO_REFERER 

109 

110 c = { 

111 "title": _("Forbidden"), 

112 "main": _("CSRF verification failed. Request aborted."), 

113 "reason": reason, 

114 "no_referer": reason == REASON_NO_REFERER, 

115 "no_referer1": _( 

116 "You are seeing this message because this HTTPS site requires a " 

117 "“Referer header” to be sent by your web browser, but none was " 

118 "sent. This header is required for security reasons, to ensure " 

119 "that your browser is not being hijacked by third parties." 

120 ), 

121 "no_referer2": _( 

122 "If you have configured your browser to disable “Referer” headers, " 

123 "please re-enable them, at least for this site, or for HTTPS " 

124 "connections, or for “same-origin” requests." 

125 ), 

126 "no_referer3": _( 

127 'If you are using the <meta name="referrer" ' 

128 'content="no-referrer"> tag or including the “Referrer-Policy: ' 

129 "no-referrer” header, please remove them. The CSRF protection " 

130 "requires the “Referer” header to do strict referer checking. If " 

131 "you’re concerned about privacy, use alternatives like " 

132 '<a rel="noreferrer" …> for links to third-party sites.' 

133 ), 

134 "no_cookie": reason == REASON_NO_CSRF_COOKIE, 

135 "no_cookie1": _( 

136 "You are seeing this message because this site requires a CSRF " 

137 "cookie when submitting forms. This cookie is required for " 

138 "security reasons, to ensure that your browser is not being " 

139 "hijacked by third parties." 

140 ), 

141 "no_cookie2": _( 

142 "If you have configured your browser to disable cookies, please " 

143 "re-enable them, at least for this site, or for “same-origin” " 

144 "requests." 

145 ), 

146 "DEBUG": settings.DEBUG, 

147 "docs_version": get_docs_version(), 

148 "more": _("More information is available with DEBUG=True."), 

149 } 

150 try: 

151 t = loader.get_template(template_name) 

152 except TemplateDoesNotExist: 

153 if template_name == CSRF_FAILURE_TEMPLATE_NAME: 

154 # If the default template doesn't exist, use the string template. 

155 t = Engine().from_string(CSRF_FAILURE_TEMPLATE) 

156 c = Context(c) 

157 else: 

158 # Raise if a developer-specified template doesn't exist. 

159 raise 

160 return HttpResponseForbidden(t.render(c), content_type="text/html")