From 88a5f17d25a25dbd2ebcf905dcecc45ce78a1615 Mon Sep 17 00:00:00 2001
From: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Sun, 22 Feb 2015 15:40:04 +0100
Subject: [PATCH] Fixed #24389 -- Isolated the CSRF view from the TEMPLATES
 setting.

Thanks uranusjr for the report and analysis.
---
 django/views/csrf.py                | 10 +++++-----
 tests/view_tests/tests/test_csrf.py | 13 ++++++++++++-
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/django/views/csrf.py b/django/views/csrf.py
index aa227d3b6e..9ab9c44171 100644
--- a/django/views/csrf.py
+++ b/django/views/csrf.py
@@ -1,6 +1,6 @@
 from django.conf import settings
 from django.http import HttpResponseForbidden
-from django.template import Context, Template
+from django.template import Context, Engine
 from django.utils.translation import ugettext as _
 from django.utils.version import get_docs_version
 
@@ -67,9 +67,9 @@ CSRF_FAILURE_TEMPLATE = """
   <ul>
     <li>Your browser is accepting cookies.</li>
 
-    <li>The view function uses <a
-    href="https://docs.djangoproject.com/en/{{ docs_version }}/ref/templates/api/#subclassing-context-requestcontext"><code>RequestContext</code></a>
-    for the template, instead of <code>Context</code>.</li>
+    <li>The view function passes a <code>request</code> to the template's <a
+    href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a>
+    method.</li>
 
     <li>In the template, there is a <code>{% templatetag openblock %} csrf_token
     {% templatetag closeblock %}</code> template tag inside each POST form that
@@ -102,7 +102,7 @@ def csrf_failure(request, reason=""):
     Default view used when request fails CSRF protection
     """
     from django.middleware.csrf import REASON_NO_REFERER, REASON_NO_CSRF_COOKIE
-    t = Template(CSRF_FAILURE_TEMPLATE)
+    t = Engine().from_string(CSRF_FAILURE_TEMPLATE)
     c = Context({
         'title': _("Forbidden"),
         'main': _("CSRF verification failed. Request aborted."),
diff --git a/tests/view_tests/tests/test_csrf.py b/tests/view_tests/tests/test_csrf.py
index 4d82588f88..9baee9ce34 100644
--- a/tests/view_tests/tests/test_csrf.py
+++ b/tests/view_tests/tests/test_csrf.py
@@ -21,7 +21,6 @@ class CsrfViewTests(TestCase):
         """
         Test that an invalid request is rejected with a localized error message.
         """
-
         response = self.client.post('/')
         self.assertContains(response, "Forbidden", status_code=403)
         self.assertContains(response,
@@ -63,3 +62,15 @@ class CsrfViewTests(TestCase):
                             "ensure that your browser is not being hijacked "
                             "by third parties.",
                             status_code=403)
+
+    # In Django 2.0, this can be changed to TEMPLATES=[] because the code path
+    # that reads the TEMPLATE_* settings in that case will have been removed.
+    @override_settings(TEMPLATES=[{
+        'BACKEND': 'django.template.backends.dummy.TemplateStrings',
+    }])
+    def test_no_django_template_engine(self):
+        """
+        The CSRF view doesn't depend on the TEMPLATES configuration (#24388).
+        """
+        response = self.client.post('/')
+        self.assertContains(response, "Forbidden", status_code=403)