Merge pull request #6560 from openfun/openfun/studio-csrf-error

Fix csrf error on studio login

cms/djangoapps/contentstore/tests/test_contentstore.py

@@ -4,7 +4,7 @@ import copy
 import mock
 from mock import patch
 import shutil
-import lxml
+import lxml.html
 
 from datetime import timedelta
 from fs.osfs import OSFS
@@ -26,7 +26,7 @@ from contentstore.views.component import ADVANCED_COMPONENT_TYPES
 
 from xmodule.contentstore.django import contentstore
 from xmodule.contentstore.utils import restore_asset_from_trashcan, empty_asset_trashcan
-from xmodule.exceptions import NotFoundError, InvalidVersionError
+from xmodule.exceptions import InvalidVersionError
 from xmodule.modulestore import ModuleStoreEnum
 from xmodule.modulestore.exceptions import ItemNotFoundError
 from xmodule.modulestore.inheritance import own_metadata
@@ -1747,6 +1747,35 @@ class EntryPageTestCase(TestCase):
         self._test_page("/logout", 302)
 
 
+class SigninPageTestCase(TestCase):
+    """
+    Tests that the CSRF token is directly included in the signin form. This is
+    important to make sure that the script is functional independently of any
+    other script.
+    """
+
+    def test_csrf_token_is_present_in_form(self):
+        # Expected html:
+        # <form>
+        #   ...
+        #   <fieldset>
+        #       ...
+        #       <input name="csrfmiddlewaretoken" value="...">
+        #       ...
+        #       </fieldset>
+        #       ...
+        #</form>
+        response = self.client.get("/signin")
+        csrf_token = response.cookies.get("csrftoken")
+        form = lxml.html.fromstring(response.content).get_element_by_id("login_form")
+        csrf_input_field = form.find(".//input[@name='csrfmiddlewaretoken']")
+
+        self.assertIsNotNone(csrf_token)
+        self.assertIsNotNone(csrf_token.value)
+        self.assertIsNotNone(csrf_input_field)
+        self.assertEqual(csrf_token.value, csrf_input_field.attrib["value"])
+
+
 def _create_course(test, course_key, course_data):
     """
     Creates a course via an AJAX request and verifies the URL returned in the response.

cms/static/js/factories/login.js

@@ -8,7 +8,6 @@ define(['jquery.cookie', 'utility'], function() {
                 dataType: 'json',
                 data: data,
                 success: callback,
-                headers : {'X-CSRFToken':$.cookie('csrftoken')}
             });
         }
 

cms/templates/login.html

@@ -17,10 +17,11 @@ from django.utils.translation import ugettext as _
     </header>
 
     <article class="content-primary" role="main">
-      <form id="login_form" method="post" action="login_post">
+      <form id="login_form" method="post" action="login_post" onsubmit="return false;">
 
         <fieldset>
           <legend class="sr">${_("Required Information to Sign In to {studio_name}").format(studio_name=settings.STUDIO_NAME)}</legend>
+          <input type="hidden" name="csrfmiddlewaretoken" value="${ csrf }" />
 
           <ol class="list-input">
             <li class="field text required" id="field-email">