From 940b7fd5cbcd743658f741d37b3d7b1766ed1f17 Mon Sep 17 00:00:00 2001 From: Krzysztof Jurewicz Date: Mon, 28 Mar 2016 19:23:04 +0200 Subject: [PATCH] Fixed #21446 -- Allowed not performing redirect in set_language view Thanks Claude Paroz and Tim Graham for polishing the patch. --- django/views/i18n.py | 11 ++-- docs/releases/1.10.txt | 7 +++ docs/topics/i18n/translation.txt | 21 ++++--- tests/view_tests/tests/test_i18n.py | 85 ++++++++++++++++++++++++++--- 4 files changed, 105 insertions(+), 19 deletions(-) diff --git a/django/views/i18n.py b/django/views/i18n.py index 92d75b259d..1649de6f0c 100644 --- a/django/views/i18n.py +++ b/django/views/i18n.py @@ -34,17 +34,18 @@ def set_language(request): any state. """ next = request.POST.get('next', request.GET.get('next')) - if not is_safe_url(url=next, host=request.get_host()): + if (next or not request.is_ajax()) and not is_safe_url(url=next, host=request.get_host()): next = request.META.get('HTTP_REFERER') if not is_safe_url(url=next, host=request.get_host()): next = '/' - response = http.HttpResponseRedirect(next) + response = http.HttpResponseRedirect(next) if next else http.HttpResponse(status=204) if request.method == 'POST': lang_code = request.POST.get(LANGUAGE_QUERY_PARAMETER) if lang_code and check_for_language(lang_code): - next_trans = translate_url(next, lang_code) - if next_trans != next: - response = http.HttpResponseRedirect(next_trans) + if next: + next_trans = translate_url(next, lang_code) + if next_trans != next: + response = http.HttpResponseRedirect(next_trans) if hasattr(request, 'session'): request.session[LANGUAGE_SESSION_KEY] = lang_code else: diff --git a/docs/releases/1.10.txt b/docs/releases/1.10.txt index 29c9327f99..eee19584f7 100644 --- a/docs/releases/1.10.txt +++ b/docs/releases/1.10.txt @@ -267,6 +267,10 @@ Internationalization :func:`~django.conf.urls.i18n.i18n_patterns` to ``False``, you can allow accessing the default language without a URL prefix. +* :func:`~django.views.i18n.set_language` now returns a 204 status code (No + Content) for AJAX requests when there is no ``next`` parameter in ``POST`` or + ``GET``. + Management Commands ~~~~~~~~~~~~~~~~~~~ @@ -695,6 +699,9 @@ Miscellaneous :meth:`~django.test.Client.login()` method no longer always rejects inactive users but instead delegates this decision to the authentication backend. +* :func:`django.views.i18n.set_language` may now return a 204 status code for + AJAX requests. + .. _deprecated-features-1.10: Features deprecated in 1.10 diff --git a/docs/topics/i18n/translation.txt b/docs/topics/i18n/translation.txt index 7be20f6d23..54e3483f97 100644 --- a/docs/topics/i18n/translation.txt +++ b/docs/topics/i18n/translation.txt @@ -1788,14 +1788,21 @@ saves the language choice in the user's session. Otherwise, it saves the language choice in a cookie that is by default named ``django_language``. (The name can be changed through the :setting:`LANGUAGE_COOKIE_NAME` setting.) -After setting the language choice, Django redirects the user, following this -algorithm: +After setting the language choice, Django looks for a ``next`` parameter in the +``POST`` or ``GET`` data. If that is found and Django considers it to be a safe +URL (i.e. it doesn't point to a different host and uses a safe scheme), a +redirect to that URL will be performed. Otherwise, Django may fall back to +redirecting the user to the URL from the ``Referer`` header or, if it is not +set, to ``/``, depending on the nature of the request: -* Django looks for a ``next`` parameter in the ``POST`` data. -* If that doesn't exist, or is empty, Django tries the URL in the - ``Referrer`` header. -* If that's empty -- say, if a user's browser suppresses that header -- - then the user will be redirected to ``/`` (the site root) as a fallback. +* For AJAX requests, the fallback will be performed only if the ``next`` + parameter was set. Otherwise a 204 status code (No Content) will be returned. +* For non-AJAX requests, the fallback will always be performed. + +.. versionchanged:: 1.10 + + Returning a 204 status code for AJAX requests when no redirect is specified + is new. Here's example HTML template code: diff --git a/tests/view_tests/tests/test_i18n.py b/tests/view_tests/tests/test_i18n.py index a957d32d96..f1417003d2 100644 --- a/tests/view_tests/tests/test_i18n.py +++ b/tests/view_tests/tests/test_i18n.py @@ -13,7 +13,9 @@ from django.test.selenium import SeleniumTestCase from django.urls import reverse from django.utils import six from django.utils._os import upath -from django.utils.translation import LANGUAGE_SESSION_KEY, override +from django.utils.translation import ( + LANGUAGE_SESSION_KEY, get_language, override, +) from ..urls import locale_dir @@ -22,29 +24,98 @@ from ..urls import locale_dir class I18NTests(TestCase): """ Tests django views in django/views/i18n.py """ + def _get_inactive_language_code(self): + """Return language code for a language which is not activated.""" + current_language = get_language() + return [code for code, name in settings.LANGUAGES if not code == current_language][0] + def test_setlang(self): """ The set_language view can be used to change the session language. The user is redirected to the 'next' argument if provided. """ - for lang_code, lang_name in settings.LANGUAGES: - post_data = dict(language=lang_code, next='/') - response = self.client.post('/i18n/setlang/', data=post_data) - self.assertRedirects(response, '/') - self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code) + lang_code = self._get_inactive_language_code() + post_data = dict(language=lang_code, next='/') + response = self.client.post('/i18n/setlang/', post_data, HTTP_REFERER='/i_should_not_be_used/') + self.assertRedirects(response, '/') + self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code) def test_setlang_unsafe_next(self): """ The set_language view only redirects to the 'next' argument if it is "safe". """ - lang_code, lang_name = settings.LANGUAGES[0] + lang_code = self._get_inactive_language_code() post_data = dict(language=lang_code, next='//unsafe/redirection/') response = self.client.post('/i18n/setlang/', data=post_data) self.assertEqual(response.url, '/') self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code) + def test_setlang_redirect_to_referer(self): + """ + The set_language view redirects to the URL in the referer header when + there isn't a "next" parameter. + """ + lang_code = self._get_inactive_language_code() + post_data = dict(language=lang_code) + response = self.client.post('/i18n/setlang/', post_data, HTTP_REFERER='/i18n/') + self.assertRedirects(response, '/i18n/', fetch_redirect_response=False) + self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code) + + def test_setlang_default_redirect(self): + """ + The set_language view redirects to '/' when there isn't a referer or + "next" parameter. + """ + lang_code = self._get_inactive_language_code() + post_data = dict(language=lang_code) + response = self.client.post('/i18n/setlang/', post_data) + self.assertRedirects(response, '/') + self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code) + + def test_setlang_performs_redirect_for_ajax_if_explicitly_requested(self): + """ + The set_language view redirects to the "next" parameter for AJAX calls. + """ + lang_code = self._get_inactive_language_code() + post_data = dict(language=lang_code, next='/') + response = self.client.post('/i18n/setlang/', post_data, HTTP_X_REQUESTED_WITH='XMLHttpRequest') + self.assertRedirects(response, '/') + self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code) + + def test_setlang_doesnt_perform_a_redirect_to_referer_for_ajax(self): + """ + The set_language view doesn't redirect to the HTTP referer header for + AJAX calls. + """ + lang_code = self._get_inactive_language_code() + post_data = dict(language=lang_code) + headers = {'HTTP_REFERER': '/', 'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest'} + response = self.client.post('/i18n/setlang/', post_data, **headers) + self.assertEqual(response.status_code, 204) + self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code) + + def test_setlang_doesnt_perform_a_default_redirect_for_ajax(self): + """ + The set_language view returns 204 for AJAX calls by default. + """ + lang_code = self._get_inactive_language_code() + post_data = dict(language=lang_code) + response = self.client.post('/i18n/setlang/', post_data, HTTP_X_REQUESTED_WITH='XMLHttpRequest') + self.assertEqual(response.status_code, 204) + self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code) + + def test_setlang_unsafe_next_for_ajax(self): + """ + The fallback to root URL for the set_language view works for AJAX calls. + """ + lang_code = self._get_inactive_language_code() + post_data = dict(language=lang_code, next='//unsafe/redirection/') + response = self.client.post('/i18n/setlang/', post_data, HTTP_X_REQUESTED_WITH='XMLHttpRequest') + self.assertEqual(response.url, '/') + self.assertEqual(self.client.session[LANGUAGE_SESSION_KEY], lang_code) + def test_setlang_reversal(self): self.assertEqual(reverse('set_language'), '/i18n/setlang/')