Bug #685: only provide CSRF token if it exists

This was suggested by Nathan Yergler in the bug logs.
Just implementing it.

- Let render_csrf_form_token return None, if the CSRF_TOKEN
  is not available in the environ, because the
  process_request part of the meddleware has not yet run.

- In render_template: If the returned value from above is
  None, then do not add the csrf_token to the templates
  context.

diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py
index 16541bee5b140b429220b0dd083c514da3303750..a4e4e5c658abcf88211f8d522f4efda8df3a24cf 100644 (file)
--- a/mediagoblin/meddleware/csrf.py
+++ b/mediagoblin/meddleware/csrf.py
@@ -50,6 +50,9 @@ def render_csrf_form_token(request):
     """Render the CSRF token in a format suitable for inclusion in a
     form."""
 
+    if 'CSRF_TOKEN' not in request.environ:
+        return None
+
     form = CsrfForm(csrf_token=request.environ['CSRF_TOKEN'])
 
     return form.csrf_token

diff --git a/mediagoblin/tools/template.py b/mediagoblin/tools/template.py
index f48b7c2ed371521f8fe79c385645393b27b009ff..d0400347ea872452296383c76bbc0a2655bd3ae3 100644 (file)
--- a/mediagoblin/tools/template.py
+++ b/mediagoblin/tools/template.py
@@ -79,7 +79,9 @@ def render_template(request, template_path, context):
     template = request.template_env.get_template(
         template_path)
     context['request'] = request
-    context['csrf_token'] = render_csrf_form_token(request)
+    rendered_csrf_token = render_csrf_form_token(request)
+    if rendered_csrf_token is not None:
+        context['csrf_token'] = render_csrf_form_token(request)
     rendered = template.render(context)
 
     if common.TESTS_ENABLED: