From 3a919c242dba0aadfc99fe07dae68b92df387b64 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Fri, 1 Nov 2013 01:05:12 +0100 Subject: [PATCH] more helpful CSRF failure view, add CSRF settings to settings.py without this, users get a rather unhelpful/misleading response after clicking "Login" if they don't have cookies enabled. --- nsupdate/main/views.py | 27 +++++++++++++++++++++++++++ nsupdate/settings.py | 9 +++++++++ 2 files changed, 36 insertions(+) diff --git a/nsupdate/main/views.py b/nsupdate/main/views.py index 6fca1fb..c273093 100644 --- a/nsupdate/main/views.py +++ b/nsupdate/main/views.py @@ -237,3 +237,30 @@ Disallow: /nic/update/ Disallow: /overview/ """ return HttpResponse(content, content_type="text/plain") + + +def CsrfFailureView(request, reason): + """ + Django's CSRF middleware's builtin view doesn't tell the user that he needs to have cookies enabled. + + :param request: django request object + :return: HttpResponse object + """ + if reason == "CSRF cookie not set.": + content ="""\ +This site needs cookies (for CSRF protection, for keeping your session after login). + +Please enable cookies in your browser (or otherwise make sure the CSRF cookie can be set). +""" % dict(reason=reason) + status = 200 + else: + content = """\ +%(reason)s + +CSRF verification failure. + +Either you are trying to access this site in 'unusual' ways (then please stop doing that), or +you found an issue in the code (then please file an issue for this and tell how you got here). +""" % dict(reason=reason) + status = 403 + return HttpResponse(content, status=status, content_type="text/plain") diff --git a/nsupdate/settings.py b/nsupdate/settings.py index ac579f2..e2902b5 100644 --- a/nsupdate/settings.py +++ b/nsupdate/settings.py @@ -205,6 +205,15 @@ ACCOUNT_ACTIVATION_DAYS = 7 LOGIN_REDIRECT_URL = '/overview/' +CSRF_FAILURE_VIEW = 'nsupdate.main.views.CsrfFailureView' + +# Settings for CSRF cookie. +CSRF_COOKIE_NAME = 'csrftoken' +CSRF_COOKIE_DOMAIN = None +CSRF_COOKIE_PATH = '/' +CSRF_COOKIE_SECURE = False + + try: from .local_settings import * except ImportError: