diff --git a/cms/envs/common.py b/cms/envs/common.py index fab3b742f8..0ca0d1b65f 100644 --- a/cms/envs/common.py +++ b/cms/envs/common.py @@ -105,9 +105,12 @@ TEMPLATE_CONTEXT_PROCESSORS = ( 'django.core.context_processors.static', 'django.contrib.messages.context_processors.messages', 'django.contrib.auth.context_processors.auth', # this is required for admin - 'django.core.context_processors.csrf', # necessary for csrf protection ) +# add csrf support unless disabled for load testing +if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): + TEMPLATE_CONTEXT_PROCESSORS += ('django.core.context_processors.csrf',) # necessary for csrf protection + LMS_BASE = None #################### CAPA External Code Evaluation ############################# @@ -139,7 +142,6 @@ MIDDLEWARE_CLASSES = ( 'django.middleware.cache.UpdateCacheMiddleware', 'django.middleware.common.CommonMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', - 'django.middleware.csrf.CsrfViewMiddleware', 'method_override.middleware.MethodOverrideMiddleware', # Instead of AuthenticationMiddleware, we use a cache-backed version @@ -155,6 +157,10 @@ MIDDLEWARE_CLASSES = ( 'django.middleware.transaction.TransactionMiddleware' ) +# add in csrf middleware unless disabled for load testing +if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): + MIDDLEWARE_CLASSES = MIDDLEWARE_CLASSES + ('django.middleware.csrf.CsrfViewMiddleware',) + ############################ SIGNAL HANDLERS ################################ # This is imported to register the exception signal handling that logs exceptions import monitoring.exceptions # noqa diff --git a/common/djangoapps/student/tests/test_auto_auth.py b/common/djangoapps/student/tests/test_auto_auth.py index 94bdeb5dfd..dca2937b01 100644 --- a/common/djangoapps/student/tests/test_auto_auth.py +++ b/common/djangoapps/student/tests/test_auto_auth.py @@ -3,7 +3,7 @@ from django.test.client import Client from django.contrib.auth.models import User from util.testing import UrlResetMixin from mock import patch -from django.core.urlresolvers import reverse +from django.core.urlresolvers import reverse, NoReverseMatch class AutoAuthEnabledTestCase(UrlResetMixin, TestCase): @@ -19,6 +19,8 @@ class AutoAuthEnabledTestCase(UrlResetMixin, TestCase): # of the UrlResetMixin) super(AutoAuthEnabledTestCase, self).setUp() self.url = '/auto_auth' + self.cms_csrf_url = "signup" + self.lms_csrf_url = "signin_user" self.client = Client() def test_create_user(self): @@ -69,15 +71,6 @@ class AutoAuthEnabledTestCase(UrlResetMixin, TestCase): # make sure it is the same user self.assertEqual(qset.count(), 1) - def test_csrf_disabled(self): - """ - test that when load testing, csrf protection is off - """ - self.client = Client(enforce_csrf_checks=True) - csrf_protected_url = reverse("signin_user") - response = self.client.get(csrf_protected_url) - self.assertEqual(response.status_code, 200) - class AutoAuthDisabledTestCase(UrlResetMixin, TestCase): """ @@ -105,8 +98,14 @@ class AutoAuthDisabledTestCase(UrlResetMixin, TestCase): """ test that when not load testing, csrf protection is on """ + cms_csrf_url = "signup" + lms_csrf_url = "signin_user" self.client = Client(enforce_csrf_checks=True) - csrf_protected_url = reverse("signin_user") - response = self.client.post(csrf_protected_url) - self.assertEqual(response.status_code, 403) + try: + csrf_protected_url = reverse(cms_csrf_url) + response = self.client.post(csrf_protected_url) + except NoReverseMatch: + csrf_protected_url = reverse(lms_csrf_url) + response = self.client.post(csrf_protected_url) + self.assertEqual(response.status_code, 403)