Merge pull request #6560 from openfun/openfun/studio-csrf-error

Fix csrf error on studio login

Merge pull request #6560 from openfun/openfun/studio-csrf-error
Fix csrf error on studio login
1ad0e9fd · Adam · 20a605f0 · dce56b13 · 1ad0e9fd · 1ad0e9fd
Commit 1ad0e9fd authored Jan 29, 2015 by Adam
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 4 deletions

cms/djangoapps/contentstore/tests/test_contentstore.py
+31 -2

cms/static/js/factories/login.js
+0 -1

cms/templates/login.html
+2 -1

No files found.
--- a/cms/djangoapps/contentstore/tests/test_contentstore.py
+++ b/cms/djangoapps/contentstore/tests/test_contentstore.py
@@ -4,7 +4,7 @@ import copy
 import mock
 from mock import patch
 import shutil
-import lxml
+import lxml.html
 from datetime import timedelta
 from fs.osfs import OSFS
@@ -26,7 +26,7 @@ from contentstore.views.component import ADVANCED_COMPONENT_TYPES
 from xmodule.contentstore.django import contentstore
 from xmodule.contentstore.utils import restore_asset_from_trashcan, empty_asset_trashcan
-from xmodule.exceptions import NotFoundError, InvalidVersionError
+from xmodule.exceptions import InvalidVersionError
 from xmodule.modulestore import ModuleStoreEnum
 from xmodule.modulestore.exceptions import ItemNotFoundError
 from xmodule.modulestore.inheritance import own_metadata
@@ -1747,6 +1747,35 @@ class EntryPageTestCase(TestCase):
        self._test_page("/logout", 302)
+class SigninPageTestCase(TestCase):
+    """
+    Tests that the CSRF token is directly included in the signin form. This is
+    important to make sure that the script is functional independently of any
+    other script.
+    """
+    def test_csrf_token_is_present_in_form(self):
+        # Expected html:
+        # <form>
+        #   ...
+        #   <fieldset>
+        #       ...
+        #       <input name="csrfmiddlewaretoken" value="...">
+        #       ...
+        #       </fieldset>
+        #       ...
+        #</form>
+        response = self.client.get("/signin")
+        csrf_token = response.cookies.get("csrftoken")
+        form = lxml.html.fromstring(response.content).get_element_by_id("login_form")
+        csrf_input_field = form.find(".//input[@name='csrfmiddlewaretoken']")
+        self.assertIsNotNone(csrf_token)
+        self.assertIsNotNone(csrf_token.value)
+        self.assertIsNotNone(csrf_input_field)
+        self.assertEqual(csrf_token.value, csrf_input_field.attrib["value"])
 def _create_course(test, course_key, course_data):
    """
    Creates a course via an AJAX request and verifies the URL returned in the response.

--- a/cms/static/js/factories/login.js
+++ b/cms/static/js/factories/login.js
@@ -8,7 +8,6 @@ define(['jquery.cookie', 'utility'], function() {
                dataType: 'json',
                data: data,
                success: callback,
-                headers : {'X-CSRFToken':$.cookie('csrftoken')}
            });
        }

--- a/cms/templates/login.html
+++ b/cms/templates/login.html
@@ -17,10 +17,11 @@ from django.utils.translation import ugettext as _
    </header>
    <article class="content-primary" role="main">
-      <form id="login_form" method="post" action="login_post">
+      <form id="login_form" method="post" action="login_post" onsubmit="return false;">
        <fieldset>
          <legend class="sr">${_("Required Information to Sign In to {studio_name}").format(studio_name=settings.STUDIO_NAME)}</legend>
+          <input type="hidden" name="csrfmiddlewaretoken" value="${ csrf }" />
          <ol class="list-input">
            <li class="field text required" id="field-email">