mirror of https://github.com/django/django.git
Fixed #10643: fixed the formtools security hash to handle allowed empty forms or forms without changed data.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10753 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
fce800f3fd
commit
96b5b6b34c
|
@ -110,16 +110,31 @@ class SecurityHashTests(unittest.TestCase):
|
||||||
leading/trailing whitespace so as to be friendly to broken browsers that
|
leading/trailing whitespace so as to be friendly to broken browsers that
|
||||||
submit it (usually in textareas).
|
submit it (usually in textareas).
|
||||||
"""
|
"""
|
||||||
class TestForm(forms.Form):
|
f1 = HashTestForm({'name': 'joe', 'bio': 'Nothing notable.'})
|
||||||
name = forms.CharField()
|
f2 = HashTestForm({'name': ' joe', 'bio': 'Nothing notable. '})
|
||||||
bio = forms.CharField()
|
|
||||||
|
|
||||||
f1 = TestForm({'name': 'joe', 'bio': 'Nothing notable.'})
|
|
||||||
f2 = TestForm({'name': ' joe', 'bio': 'Nothing notable. '})
|
|
||||||
hash1 = utils.security_hash(None, f1)
|
hash1 = utils.security_hash(None, f1)
|
||||||
hash2 = utils.security_hash(None, f2)
|
hash2 = utils.security_hash(None, f2)
|
||||||
self.assertEqual(hash1, hash2)
|
self.assertEqual(hash1, hash2)
|
||||||
|
|
||||||
|
def test_empty_permitted(self):
|
||||||
|
"""
|
||||||
|
Regression test for #10643: the security hash should allow forms with
|
||||||
|
empty_permitted = True, or forms where data has not changed.
|
||||||
|
"""
|
||||||
|
f1 = HashTestBlankForm({})
|
||||||
|
f2 = HashTestForm({}, empty_permitted=True)
|
||||||
|
hash1 = utils.security_hash(None, f1)
|
||||||
|
hash2 = utils.security_hash(None, f2)
|
||||||
|
self.assertEqual(hash1, hash2)
|
||||||
|
|
||||||
|
class HashTestForm(forms.Form):
|
||||||
|
name = forms.CharField()
|
||||||
|
bio = forms.CharField()
|
||||||
|
|
||||||
|
class HashTestBlankForm(forms.Form):
|
||||||
|
name = forms.CharField(required=False)
|
||||||
|
bio = forms.CharField(required=False)
|
||||||
|
|
||||||
#
|
#
|
||||||
# FormWizard tests
|
# FormWizard tests
|
||||||
#
|
#
|
||||||
|
|
|
@ -18,10 +18,16 @@ def security_hash(request, form, *args):
|
||||||
|
|
||||||
data = []
|
data = []
|
||||||
for bf in form:
|
for bf in form:
|
||||||
|
# Get the value from the form data. If the form allows empty or hasn't
|
||||||
|
# changed then don't call clean() to avoid trigger validation errors.
|
||||||
|
if form.empty_permitted and not form.has_changed():
|
||||||
|
value = bf.data or ''
|
||||||
|
else:
|
||||||
value = bf.field.clean(bf.data) or ''
|
value = bf.field.clean(bf.data) or ''
|
||||||
if isinstance(value, basestring):
|
if isinstance(value, basestring):
|
||||||
value = value.strip()
|
value = value.strip()
|
||||||
data.append((bf.name, value))
|
data.append((bf.name, value))
|
||||||
|
|
||||||
data.extend(args)
|
data.extend(args)
|
||||||
data.append(settings.SECRET_KEY)
|
data.append(settings.SECRET_KEY)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue