diff --git a/django/contrib/formtools/tests/__init__.py b/django/contrib/formtools/tests/__init__.py index cc38546866..a4324903bc 100644 --- a/django/contrib/formtools/tests/__init__.py +++ b/django/contrib/formtools/tests/__init__.py @@ -249,14 +249,6 @@ class WizardClass(wizard.FormWizard): return http.HttpResponse(success_string) -class UserSecuredWizardClass(WizardClass): - """ - Wizard with a custum security_hash method - """ - def security_hash(self, request, form): - return "123" - - class DummyRequest(http.HttpRequest): def __init__(self, POST=None): @@ -310,36 +302,7 @@ class WizardTests(TestCase): "wizard_step": "1"}) self.assertEqual(0, response.context['step0']) - def test_good_hash_django12(self): - """ - Form should advance if the hash is present and good, as calculated using - django 1.2 method. - """ - # We are hard-coding a hash value here, but that is OK, since we want to - # ensure that we don't accidentally change the algorithm. - data = {"0-field": "test", - "1-field": "test2", - "hash_0": "2fdbefd4c0cad51509478fbacddf8b13", - "wizard_step": "1"} - response = self.client.post('/wizard/', data) - self.assertEqual(2, response.context['step0']) - - def test_good_hash_django12_subclass(self): - """ - The Django 1.2 method of calulating hashes should *not* be used as a - fallback if the FormWizard subclass has provided their own method - of calculating a hash. - """ - # We are hard-coding a hash value here, but that is OK, since we want to - # ensure that we don't accidentally change the algorithm. - data = {"0-field": "test", - "1-field": "test2", - "hash_0": "2fdbefd4c0cad51509478fbacddf8b13", - "wizard_step": "1"} - response = self.client.post('/wizard2/', data) - self.assertEqual(0, response.context['step0']) - - def test_good_hash_current(self): + def test_good_hash(self): """ Form should advance if the hash is present and good, as calculated using current method. diff --git a/django/contrib/formtools/tests/urls.py b/django/contrib/formtools/tests/urls.py index b89b6e6ed1..45888f99b6 100644 --- a/django/contrib/formtools/tests/urls.py +++ b/django/contrib/formtools/tests/urls.py @@ -11,7 +11,4 @@ urlpatterns = patterns('', (r'^wizard/$', WizardClass([WizardPageOneForm, WizardPageTwoForm, WizardPageThreeForm])), - (r'^wizard2/$', UserSecuredWizardClass([WizardPageOneForm, - WizardPageTwoForm, - WizardPageThreeForm])) ) diff --git a/django/contrib/formtools/wizard.py b/django/contrib/formtools/wizard.py index d581f0df83..af6f97bf45 100644 --- a/django/contrib/formtools/wizard.py +++ b/django/contrib/formtools/wizard.py @@ -11,7 +11,7 @@ except ImportError: from django import forms from django.conf import settings -from django.contrib.formtools.utils import security_hash, form_hmac +from django.contrib.formtools.utils import form_hmac from django.http import Http404 from django.shortcuts import render_to_response from django.template.context import RequestContext @@ -58,24 +58,7 @@ class FormWizard(object): def _check_security_hash(self, token, request, form): expected = self.security_hash(request, form) - if constant_time_compare(token, expected): - return True - else: - # Fall back to Django 1.2 method, for compatibility with forms that - # are in the middle of being used when the upgrade occurs. However, - # we don't want to do this fallback if a subclass has provided their - # own security_hash method - because they might have implemented a - # more secure method, and this would punch a hole in that. - - # PendingDeprecationWarning <- left here to remind us that this - # compatibility fallback should be removed in Django 1.5 - FormWizard_expected = FormWizard.security_hash(self, request, form) - if expected == FormWizard_expected: - # They didn't override security_hash, do the fallback: - old_expected = security_hash(request, form) - return constant_time_compare(token, old_expected) - else: - return False + return constant_time_compare(token, expected) @method_decorator(csrf_protect) def __call__(self, request, *args, **kwargs):