Remove CSRF middleware/processor in aws and dev settings,
not common. This ensures that we load the MITX_FEATURES token BEFORE deciding to disable CSRF.
This commit is contained in:
Will Daly
@@ -126,6 +126,14 @@ LOGGING = get_logger_config(LOG_DIR,
|
||||
#theming start:
|
||||
PLATFORM_NAME = ENV_TOKENS.get('PLATFORM_NAME', 'edX')
|
||||
|
||||
# Disable CSRF for load testing
|
||||
if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
|
||||
exclude_csrf = lambda elem: not elem in \
|
||||
['django.core.context_processors.csrf',
|
||||
'django.middleware.csrf.CsrfViewMiddleware']
|
||||
TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS)
|
||||
MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES)
|
||||
|
||||
|
||||
################ SECURE AUTH ITEMS ###############################
|
||||
# Secret things: passwords, access keys, etc.
|
||||
|
||||
@@ -105,12 +105,9 @@ TEMPLATE_CONTEXT_PROCESSORS = (
|
||||
'django.core.context_processors.static',
|
||||
'django.contrib.messages.context_processors.messages',
|
||||
'django.contrib.auth.context_processors.auth', # this is required for admin
|
||||
'django.core.context_processors.csrf'
|
||||
)
|
||||
|
||||
# add csrf support unless disabled for load testing
|
||||
if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
|
||||
TEMPLATE_CONTEXT_PROCESSORS += ('django.core.context_processors.csrf',) # necessary for csrf protection
|
||||
|
||||
LMS_BASE = None
|
||||
|
||||
#################### CAPA External Code Evaluation #############################
|
||||
@@ -141,6 +138,7 @@ MIDDLEWARE_CLASSES = (
|
||||
'request_cache.middleware.RequestCache',
|
||||
'django.middleware.cache.UpdateCacheMiddleware',
|
||||
'django.middleware.common.CommonMiddleware',
|
||||
'django.middleware.csrf.CsrfViewMiddleware',
|
||||
'django.contrib.sessions.middleware.SessionMiddleware',
|
||||
'method_override.middleware.MethodOverrideMiddleware',
|
||||
|
||||
@@ -157,10 +155,6 @@ MIDDLEWARE_CLASSES = (
|
||||
'django.middleware.transaction.TransactionMiddleware'
|
||||
)
|
||||
|
||||
# add in csrf middleware unless disabled for load testing
|
||||
if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
|
||||
MIDDLEWARE_CLASSES = MIDDLEWARE_CLASSES + ('django.middleware.csrf.CsrfViewMiddleware',)
|
||||
|
||||
############################ SIGNAL HANDLERS ################################
|
||||
# This is imported to register the exception signal handling that logs exceptions
|
||||
import monitoring.exceptions # noqa
|
||||
|
||||
@@ -182,6 +182,15 @@ SEGMENT_IO_KEY = os.environ.get('SEGMENT_IO_KEY')
|
||||
if SEGMENT_IO_KEY:
|
||||
MITX_FEATURES['SEGMENT_IO'] = True
|
||||
|
||||
########################## LOAD TESTING ########################
|
||||
|
||||
# Disable CSRF for load testing
|
||||
if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
|
||||
exclude_csrf = lambda elem: not elem in \
|
||||
['django.core.context_processors.csrf',
|
||||
'django.middleware.csrf.CsrfViewMiddleware']
|
||||
TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS)
|
||||
MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES)
|
||||
|
||||
#####################################################################
|
||||
# Lastly, see if the developer has any local overrides.
|
||||
|
||||
@@ -10,7 +10,6 @@ Common traits:
|
||||
# We intentionally define lots of variables that aren't used, and
|
||||
# want to import all variables from base settings files
|
||||
# pylint: disable=W0401, W0614
|
||||
|
||||
import json
|
||||
|
||||
from .common import *
|
||||
@@ -178,9 +177,14 @@ for name, value in ENV_TOKENS.get("CODE_JAIL", {}).items():
|
||||
|
||||
COURSES_WITH_UNSAFE_CODE = ENV_TOKENS.get("COURSES_WITH_UNSAFE_CODE", [])
|
||||
|
||||
# automatic log in for load testing
|
||||
MITX_FEATURES['AUTOMATIC_AUTH_FOR_LOAD_TESTING'] = ENV_TOKENS.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING')
|
||||
MITX_FEATURES['MAX_AUTO_AUTH_USERS'] = ENV_TOKENS.get('MAX_AUTO_AUTH_USERS')
|
||||
# Disable CSRF for load testing
|
||||
if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
|
||||
exclude_csrf = lambda elem: not elem in \
|
||||
['django.core.context_processors.csrf',
|
||||
'django.middleware.csrf.CsrfViewMiddleware']
|
||||
TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS)
|
||||
MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES)
|
||||
|
||||
|
||||
############################## SECURE AUTH ITEMS ###############
|
||||
# Secret things: passwords, access keys, etc.
|
||||
|
||||
@@ -223,6 +223,7 @@ TEMPLATE_CONTEXT_PROCESSORS = (
|
||||
'django.contrib.messages.context_processors.messages',
|
||||
#'django.core.context_processors.i18n',
|
||||
'django.contrib.auth.context_processors.auth', # this is required for admin
|
||||
'django.core.context_processors.csrf',
|
||||
|
||||
# Added for django-wiki
|
||||
'django.core.context_processors.media',
|
||||
@@ -235,10 +236,6 @@ TEMPLATE_CONTEXT_PROCESSORS = (
|
||||
'mitxmako.shortcuts.marketing_link_context_processor',
|
||||
)
|
||||
|
||||
# add csrf support unless disabled for load testing
|
||||
if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
|
||||
TEMPLATE_CONTEXT_PROCESSORS += ('django.core.context_processors.csrf',) # necessary for csrf protection
|
||||
|
||||
STUDENT_FILEUPLOAD_MAX_SIZE = 4 * 1000 * 1000 # 4 MB
|
||||
MAX_FILEUPLOADS_PER_INPUT = 20
|
||||
|
||||
@@ -483,6 +480,7 @@ MIDDLEWARE_CLASSES = (
|
||||
'django.contrib.messages.middleware.MessageMiddleware',
|
||||
'track.middleware.TrackMiddleware',
|
||||
'mitxmako.middleware.MakoMiddleware',
|
||||
'django.middleware.csrf.CsrfViewMiddleware',
|
||||
|
||||
'course_wiki.course_nav.Middleware',
|
||||
|
||||
@@ -493,10 +491,6 @@ MIDDLEWARE_CLASSES = (
|
||||
'codejail.django_integration.ConfigureCodeJailMiddleware',
|
||||
)
|
||||
|
||||
# add in csrf middleware unless disabled for load testing
|
||||
if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
|
||||
MIDDLEWARE_CLASSES = MIDDLEWARE_CLASSES + ('django.middleware.csrf.CsrfViewMiddleware',)
|
||||
|
||||
############################### Pipeline #######################################
|
||||
|
||||
STATICFILES_STORAGE = 'pipeline.storage.PipelineCachedStorage'
|
||||
|
||||
@@ -255,6 +255,15 @@ SEGMENT_IO_LMS_KEY = os.environ.get('SEGMENT_IO_LMS_KEY')
|
||||
if SEGMENT_IO_LMS_KEY:
|
||||
MITX_FEATURES['SEGMENT_IO_LMS'] = True
|
||||
|
||||
########################## LOAD TESTING ########################
|
||||
|
||||
# Disable CSRF for load testing
|
||||
if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
|
||||
exclude_csrf = lambda elem: not elem in \
|
||||
['django.core.context_processors.csrf',
|
||||
'django.middleware.csrf.CsrfViewMiddleware']
|
||||
TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS)
|
||||
MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES)
|
||||
|
||||
########################## USER API ########################
|
||||
EDX_API_KEY = None
|
||||
|
||||
Reference in New Issue
Block a user