From 71c6c432a5fe8fe0f96dac284562a8e1b981d669 Mon Sep 17 00:00:00 2001 From: Elrond Date: Sat, 3 Dec 2011 21:20:11 +0100 Subject: [PATCH] Bug #685: only provide CSRF token if it exists This was suggested by Nathan Yergler in the bug logs. Just implementing it. - Let render_csrf_form_token return None, if the CSRF_TOKEN is not available in the environ, because the process_request part of the meddleware has not yet run. - In render_template: If the returned value from above is None, then do not add the csrf_token to the templates context. --- mediagoblin/meddleware/csrf.py | 3 +++ mediagoblin/tools/template.py | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py index 16541bee..a4e4e5c6 100644 --- a/mediagoblin/meddleware/csrf.py +++ b/mediagoblin/meddleware/csrf.py @@ -50,6 +50,9 @@ def render_csrf_form_token(request): """Render the CSRF token in a format suitable for inclusion in a form.""" + if 'CSRF_TOKEN' not in request.environ: + return None + form = CsrfForm(csrf_token=request.environ['CSRF_TOKEN']) return form.csrf_token diff --git a/mediagoblin/tools/template.py b/mediagoblin/tools/template.py index f48b7c2e..d0400347 100644 --- a/mediagoblin/tools/template.py +++ b/mediagoblin/tools/template.py @@ -79,7 +79,9 @@ def render_template(request, template_path, context): template = request.template_env.get_template( template_path) context['request'] = request - context['csrf_token'] = render_csrf_form_token(request) + rendered_csrf_token = render_csrf_form_token(request) + if rendered_csrf_token is not None: + context['csrf_token'] = render_csrf_form_token(request) rendered = template.render(context) if common.TESTS_ENABLED: -- 2.25.1