Fixed #22638 -- Changed CookieWizardView to ignore invalid cookies

2014-05-17 11:29:08 +02:00 · 2014-05-17 11:29:08 +02:00 · ba5ddf7aed
parent 3b765029f0
commit ba5ddf7aed
4 changed files with 9 additions and 18 deletions
--- a/django/contrib/formtools/exceptions.py
+++ b/django/contrib/formtools/exceptions.py
@ -1,6 +0,0 @@
-from django.core.exceptions import SuspiciousOperation
-
-
-class WizardViewCookieModified(SuspiciousOperation):
-    """Signature of cookie modified"""
-    pass
--- a/django/contrib/formtools/tests/wizard/test_cookiestorage.py
+++ b/django/contrib/formtools/tests/wizard/test_cookiestorage.py
@ -1,6 +1,5 @@
 from django.test import TestCase
 from django.core import signing
-from django.core.exceptions import SuspiciousOperation
 from django.http import HttpResponse

 from django.contrib.auth.tests.utils import skipIfCustomUser
@ -25,7 +24,7 @@ class TestCookieStorage(TestStorage, TestCase):
        self.assertEqual(storage.load_data(), {'key1': 'value1'})

        storage.request.COOKIES[storage.prefix] = 'i_am_manipulated'
-        self.assertRaises(SuspiciousOperation, storage.load_data)
+        self.assertIsNone(storage.load_data())

    def test_reset_cookie(self):
        request = get_request()
--- a/django/contrib/formtools/wizard/storage/cookie.py
+++ b/django/contrib/formtools/wizard/storage/cookie.py
@ -1,8 +1,5 @@
 import json

-from django.core.signing import BadSignature
-
-from django.contrib.formtools.exceptions import WizardViewCookieModified
 from django.contrib.formtools.wizard import storage


@ -16,12 +13,7 @@ class CookieStorage(storage.BaseStorage):
            self.init_data()

    def load_data(self):
-        try:
-            data = self.request.get_signed_cookie(self.prefix)
-        except KeyError:
-            data = None
-        except BadSignature:
-            raise WizardViewCookieModified('WizardView cookie manipulated')
+        data = self.request.get_signed_cookie(self.prefix, default=None)
        if data is None:
            return None
        return json.loads(data, cls=json.JSONDecoder)
--- a/docs/releases/1.8.txt
+++ b/docs/releases/1.8.txt
@ -45,7 +45,13 @@ Minor features
 :mod:`django.contrib.formtools`
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

-* ...
+* A :doc:`form wizard </ref/contrib/formtools/form-wizard>` using the
+  :class:`~django.contrib.formtools.wizard.views.CookieWizardView` will now ignore
+  an invalid cookie, and the wizard will restart from the first step. An invalid
+  cookie can occur in cases of intentional manipulation, but also after a secret
+  key change. Previously, this would raise ``WizardViewCookieModified``, a
+  ``SuspiciousOperation``, causing an exception for any user with an invalid cookie
+  upon every request to the wizard, until the cookie is removed.

 :mod:`django.contrib.gis`
 ^^^^^^^^^^^^^^^^^^^^^^^^^^