2011-02-21 18:12:23 +08:00
|
|
|
from copy import copy
|
2014-01-21 04:15:14 +08:00
|
|
|
from django.utils.module_loading import import_string
|
2006-05-02 09:31:56 +08:00
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 07:23:07 +08:00
|
|
|
# Cache of actual callables.
|
2006-05-02 09:31:56 +08:00
|
|
|
_standard_context_processors = None
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 07:23:07 +08:00
|
|
|
# We need the CSRF processor no matter what the user has in their settings,
|
|
|
|
# because otherwise it is a security vulnerability, and we can't afford to leave
|
|
|
|
# this to human error or failure to read migration instructions.
|
2013-10-11 19:25:14 +08:00
|
|
|
_builtin_context_processors = ('django.core.context_processors.csrf',)
|
2006-05-02 09:31:56 +08:00
|
|
|
|
2013-11-03 04:12:09 +08:00
|
|
|
|
2006-05-02 09:31:56 +08:00
|
|
|
class ContextPopException(Exception):
|
|
|
|
"pop() has been called more times than push()"
|
|
|
|
pass
|
|
|
|
|
2013-07-16 19:11:32 +08:00
|
|
|
|
|
|
|
class ContextDict(dict):
|
|
|
|
def __init__(self, context, *args, **kwargs):
|
|
|
|
super(ContextDict, self).__init__(*args, **kwargs)
|
|
|
|
|
|
|
|
context.dicts.append(self)
|
|
|
|
self.context = context
|
|
|
|
|
|
|
|
def __enter__(self):
|
|
|
|
return self
|
|
|
|
|
|
|
|
def __exit__(self, *args, **kwargs):
|
|
|
|
self.context.pop()
|
|
|
|
|
|
|
|
|
2009-12-14 20:08:23 +08:00
|
|
|
class BaseContext(object):
|
|
|
|
def __init__(self, dict_=None):
|
2011-04-17 12:52:31 +08:00
|
|
|
self._reset_dicts(dict_)
|
|
|
|
|
|
|
|
def _reset_dicts(self, value=None):
|
2012-04-11 04:49:45 +08:00
|
|
|
builtins = {'True': True, 'False': False, 'None': None}
|
|
|
|
self.dicts = [builtins]
|
2012-04-11 21:00:38 +08:00
|
|
|
if value is not None:
|
|
|
|
self.dicts.append(value)
|
2006-05-02 09:31:56 +08:00
|
|
|
|
2011-02-21 18:12:23 +08:00
|
|
|
def __copy__(self):
|
2011-04-17 12:52:31 +08:00
|
|
|
duplicate = copy(super(BaseContext, self))
|
|
|
|
duplicate.dicts = self.dicts[:]
|
2011-02-21 18:12:23 +08:00
|
|
|
return duplicate
|
|
|
|
|
2006-05-02 09:31:56 +08:00
|
|
|
def __repr__(self):
|
|
|
|
return repr(self.dicts)
|
|
|
|
|
|
|
|
def __iter__(self):
|
2009-12-14 20:08:23 +08:00
|
|
|
for d in reversed(self.dicts):
|
2006-05-02 09:31:56 +08:00
|
|
|
yield d
|
|
|
|
|
2013-07-16 19:11:32 +08:00
|
|
|
def push(self, *args, **kwargs):
|
|
|
|
return ContextDict(self, *args, **kwargs)
|
2006-05-02 09:31:56 +08:00
|
|
|
|
|
|
|
def pop(self):
|
|
|
|
if len(self.dicts) == 1:
|
|
|
|
raise ContextPopException
|
2009-12-14 20:08:23 +08:00
|
|
|
return self.dicts.pop()
|
2006-05-02 09:31:56 +08:00
|
|
|
|
|
|
|
def __setitem__(self, key, value):
|
|
|
|
"Set a variable in the current context"
|
2009-12-14 20:08:23 +08:00
|
|
|
self.dicts[-1][key] = value
|
2006-05-02 09:31:56 +08:00
|
|
|
|
|
|
|
def __getitem__(self, key):
|
|
|
|
"Get a variable's value, starting at the current context and going upward"
|
2009-12-14 20:08:23 +08:00
|
|
|
for d in reversed(self.dicts):
|
2007-04-26 21:30:48 +08:00
|
|
|
if key in d:
|
2006-05-02 09:31:56 +08:00
|
|
|
return d[key]
|
2006-07-04 11:21:44 +08:00
|
|
|
raise KeyError(key)
|
2006-05-02 09:31:56 +08:00
|
|
|
|
|
|
|
def __delitem__(self, key):
|
|
|
|
"Delete a variable from the current context"
|
2009-12-14 20:08:23 +08:00
|
|
|
del self.dicts[-1][key]
|
2006-05-02 09:31:56 +08:00
|
|
|
|
|
|
|
def has_key(self, key):
|
|
|
|
for d in self.dicts:
|
2007-04-26 21:30:48 +08:00
|
|
|
if key in d:
|
2006-05-02 09:31:56 +08:00
|
|
|
return True
|
|
|
|
return False
|
|
|
|
|
2009-12-14 20:08:23 +08:00
|
|
|
def __contains__(self, key):
|
|
|
|
return self.has_key(key)
|
2007-02-10 17:02:00 +08:00
|
|
|
|
2006-07-04 11:21:44 +08:00
|
|
|
def get(self, key, otherwise=None):
|
2009-12-14 20:08:23 +08:00
|
|
|
for d in reversed(self.dicts):
|
2007-04-26 21:30:48 +08:00
|
|
|
if key in d:
|
2006-05-02 09:31:56 +08:00
|
|
|
return d[key]
|
|
|
|
return otherwise
|
|
|
|
|
2011-04-17 12:52:31 +08:00
|
|
|
def new(self, values=None):
|
|
|
|
"""
|
|
|
|
Returns a new context with the same properties, but with only the
|
|
|
|
values given in 'values' stored.
|
|
|
|
"""
|
|
|
|
new_context = copy(self)
|
|
|
|
new_context._reset_dicts(values)
|
|
|
|
return new_context
|
|
|
|
|
2013-07-16 19:11:32 +08:00
|
|
|
|
2009-12-14 20:08:23 +08:00
|
|
|
class Context(BaseContext):
|
|
|
|
"A stack container for variable context"
|
2011-11-18 21:01:06 +08:00
|
|
|
def __init__(self, dict_=None, autoescape=True, current_app=None,
|
|
|
|
use_l10n=None, use_tz=None):
|
2009-12-14 20:08:23 +08:00
|
|
|
self.autoescape = autoescape
|
|
|
|
self.current_app = current_app
|
2011-11-18 21:01:06 +08:00
|
|
|
self.use_l10n = use_l10n
|
|
|
|
self.use_tz = use_tz
|
2009-12-14 20:08:23 +08:00
|
|
|
self.render_context = RenderContext()
|
|
|
|
super(Context, self).__init__(dict_)
|
|
|
|
|
2011-02-21 18:12:23 +08:00
|
|
|
def __copy__(self):
|
2011-04-19 10:14:07 +08:00
|
|
|
duplicate = super(Context, self).__copy__()
|
2011-02-21 18:12:23 +08:00
|
|
|
duplicate.render_context = copy(self.render_context)
|
|
|
|
return duplicate
|
|
|
|
|
2006-05-02 09:31:56 +08:00
|
|
|
def update(self, other_dict):
|
2010-11-24 08:36:36 +08:00
|
|
|
"Pushes other_dict to the stack of dictionaries in the Context"
|
2009-03-19 00:55:59 +08:00
|
|
|
if not hasattr(other_dict, '__getitem__'):
|
2008-08-02 05:37:38 +08:00
|
|
|
raise TypeError('other_dict must be a mapping (dictionary-like) object.')
|
2009-12-14 20:08:23 +08:00
|
|
|
self.dicts.append(other_dict)
|
2007-12-03 07:57:22 +08:00
|
|
|
return other_dict
|
2006-05-02 09:31:56 +08:00
|
|
|
|
2013-07-16 19:11:32 +08:00
|
|
|
|
2009-12-14 20:08:23 +08:00
|
|
|
class RenderContext(BaseContext):
|
|
|
|
"""
|
|
|
|
A stack container for storing Template state.
|
|
|
|
|
|
|
|
RenderContext simplifies the implementation of template Nodes by providing a
|
|
|
|
safe place to store state between invocations of a node's `render` method.
|
|
|
|
|
|
|
|
The RenderContext also provides scoping rules that are more sensible for
|
|
|
|
'template local' variables. The render context stack is pushed before each
|
|
|
|
template is rendered, creating a fresh scope with nothing in it. Name
|
|
|
|
resolution fails if a variable is not found at the top of the RequestContext
|
|
|
|
stack. Thus, variables are local to a specific template and don't affect the
|
|
|
|
rendering of other templates as they would if they were stored in the normal
|
|
|
|
template context.
|
|
|
|
"""
|
|
|
|
def __iter__(self):
|
|
|
|
for d in self.dicts[-1]:
|
|
|
|
yield d
|
|
|
|
|
|
|
|
def has_key(self, key):
|
|
|
|
return key in self.dicts[-1]
|
|
|
|
|
|
|
|
def get(self, key, otherwise=None):
|
2013-12-19 13:42:32 +08:00
|
|
|
return self.dicts[-1].get(key, otherwise)
|
2009-12-14 20:08:23 +08:00
|
|
|
|
2013-12-19 13:42:32 +08:00
|
|
|
def __getitem__(self, key):
|
|
|
|
return self.dicts[-1][key]
|
2013-11-03 08:37:15 +08:00
|
|
|
|
2013-12-20 12:43:34 +08:00
|
|
|
|
2006-05-02 09:31:56 +08:00
|
|
|
# This is a function rather than module-level procedural code because we only
|
|
|
|
# want it to execute if somebody uses RequestContext.
|
|
|
|
def get_standard_processors():
|
2009-03-31 04:15:01 +08:00
|
|
|
from django.conf import settings
|
2006-05-02 09:31:56 +08:00
|
|
|
global _standard_context_processors
|
|
|
|
if _standard_context_processors is None:
|
|
|
|
processors = []
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 07:23:07 +08:00
|
|
|
collect = []
|
|
|
|
collect.extend(_builtin_context_processors)
|
|
|
|
collect.extend(settings.TEMPLATE_CONTEXT_PROCESSORS)
|
|
|
|
for path in collect:
|
2014-01-21 04:15:14 +08:00
|
|
|
func = import_string(path)
|
2006-05-02 09:31:56 +08:00
|
|
|
processors.append(func)
|
|
|
|
_standard_context_processors = tuple(processors)
|
|
|
|
return _standard_context_processors
|
|
|
|
|
2013-11-03 08:37:15 +08:00
|
|
|
|
2006-05-02 09:31:56 +08:00
|
|
|
class RequestContext(Context):
|
|
|
|
"""
|
|
|
|
This subclass of template.Context automatically populates itself using
|
|
|
|
the processors defined in TEMPLATE_CONTEXT_PROCESSORS.
|
|
|
|
Additional processors can be specified as a list of callables
|
|
|
|
using the "processors" keyword argument.
|
|
|
|
"""
|
2011-11-18 21:01:06 +08:00
|
|
|
def __init__(self, request, dict_=None, processors=None, current_app=None,
|
|
|
|
use_l10n=None, use_tz=None):
|
|
|
|
Context.__init__(self, dict_, current_app=current_app,
|
|
|
|
use_l10n=use_l10n, use_tz=use_tz)
|
2006-05-02 09:31:56 +08:00
|
|
|
if processors is None:
|
|
|
|
processors = ()
|
|
|
|
else:
|
|
|
|
processors = tuple(processors)
|
2013-08-29 12:08:01 +08:00
|
|
|
updates = dict()
|
2006-05-02 09:31:56 +08:00
|
|
|
for processor in get_standard_processors() + processors:
|
2013-08-29 12:08:01 +08:00
|
|
|
updates.update(processor(request))
|
|
|
|
self.update(updates)
|