remove the list from response.vary. not sure why I was getting an error using openid...

[mediagoblin.git] / mediagoblin / meddleware / csrf.py

diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py
index a4e4e5c658abcf88211f8d522f4efda8df3a24cf..661f0ba23cc8f317a7b7c491644109ddc8761c31 100644 (file)
--- a/mediagoblin/meddleware/csrf.py
+++ b/mediagoblin/meddleware/csrf.py
@@ -1,5 +1,5 @@
 # GNU MediaGoblin -- federated, autonomous media hosting
-# Copyright (C) 2011 MediaGoblin contributors.  See AUTHORS.
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
@@ -14,14 +14,17 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import hashlib
 import random
+import logging
 
-from webob.exc import HTTPForbidden
+from werkzeug.exceptions import Forbidden
 from wtforms import Form, HiddenField, validators
 
 from mediagoblin import mg_globals
 from mediagoblin.meddleware import BaseMeddleware
+from mediagoblin.tools.translate import lazy_pass_to_ugettext as _
+
+_log = logging.getLogger(__name__)
 
 # Use the system (hardware-based) random number generator if it exists.
 # -- this optimization is lifted from Django
@@ -78,7 +81,7 @@ class CsrfMeddleware(BaseMeddleware):
             request.environ['CSRF_TOKEN'] = \
                 request.cookies[mg_globals.app_config['csrf_cookie_name']]
 
-        except KeyError, e:
+        except KeyError:
             # if it doesn't exist, make a new one
             request.environ['CSRF_TOKEN'] = self._make_token(request)
 
@@ -125,11 +128,16 @@ class CsrfMeddleware(BaseMeddleware):
             None)
 
         if cookie_token is None:
-            # the CSRF cookie must be present in the request
-            return HTTPForbidden()
+            # the CSRF cookie must be present in the request, if not a
+            # cookie blocker might be in action (in the best case)
+            _log.error('CSRF cookie not present')
+            raise Forbidden(_('CSRF cookie not present. This is most likely '
+                              'the result of a cookie blocker or somesuch.<br/>'
+                              'Make sure to permit the settings of cookies for '
+                              'this domain.'))
 
         # get the form token and confirm it matches
-        form = CsrfForm(request.POST)
+        form = CsrfForm(request.form)
         if form.validate():
             form_token = form.csrf_token.data
 
@@ -139,4 +147,6 @@ class CsrfMeddleware(BaseMeddleware):
 
         # either the tokens didn't match or the form token wasn't
         # present; either way, the request is denied
-        return HTTPForbidden()
+        errstr = 'CSRF validation failed'
+        _log.error(errstr)
+        raise Forbidden(errstr)