feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme. (#33226)

* feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme.

* feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme.

* fix: fix quality failure

* feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme.

lms/djangoapps/experiments/tests/test_views.py

@@ -6,6 +6,7 @@ from unittest.mock import patch
 
 import six.moves.urllib.parse
 from datetime import timedelta
+import django
 from django.conf import settings
 from django.core.handlers.wsgi import WSGIRequest
 from django.test.utils import override_settings
@@ -166,6 +167,13 @@ class ExperimentDataViewSetTests(APITestCase, ModuleStoreTestCase):  # lint-amne
         response = self.client.patch(url, data)
         assert response.status_code == 404
 
+    def test_loads_valid_csrf_trusted_origins_list(self):
+        """checking CSRF_TRUSTED_ORIGINS here. in django4.2 they will require schemes"""
+        if django.VERSION[0] < 4:  # for greater than django 3.2 use schemes.
+            assert settings.CSRF_TRUSTED_ORIGINS == ['.example.com']
+        else:
+            assert settings.CSRF_TRUSTED_ORIGINS == ['https://*.example.com']
+
 
 def cross_domain_config(func):
     """Decorator for configuring a cross-domain request. """

lms/envs/production.py

@@ -23,6 +23,7 @@ import os
 
 import yaml
 from corsheaders.defaults import default_headers as corsheaders_default_headers
+import django
 from django.core.exceptions import ImproperlyConfigured
 from edx_django_utils.plugins import add_plugins
 from path import Path as path
@@ -366,6 +367,10 @@ CSRF_COOKIE_SECURE = ENV_TOKENS.get('CSRF_COOKIE_SECURE', False)
 
 # Determines which origins are trusted for unsafe requests eg. POST requests.
 CSRF_TRUSTED_ORIGINS = ENV_TOKENS.get('CSRF_TRUSTED_ORIGINS', [])
+# values are already updated above with default CSRF_TRUSTED_ORIGINS values but in
+# case of new django version these values will override.
+if django.VERSION[0] >= 4:  # for greater than django 3.2 use schemes.
+    CSRF_TRUSTED_ORIGINS = ENV_TOKENS.get('CSRF_TRUSTED_ORIGINS_WITH_SCHEME', [])
 
 ############# CORS headers for cross-domain requests #################
 

lms/envs/test.py

@@ -18,6 +18,7 @@ from collections import OrderedDict
 from uuid import uuid4
 
 import openid.oidutil
+import django
 from django.utils.translation import gettext_lazy
 from edx_django_utils.plugins import add_plugins
 from path import Path as path
@@ -677,3 +678,10 @@ SUBSCRIPTIONS_BUY_SUBSCRIPTION_URL = f"{SUBSCRIPTIONS_ROOT_URL}/api/v1/stripe-su
 SUBSCRIPTIONS_MANAGE_SUBSCRIPTION_URL = None
 SUBSCRIPTIONS_MINIMUM_PRICE = '$39'
 SUBSCRIPTIONS_TRIAL_LENGTH = 7
+CSRF_TRUSTED_ORIGINS = ['.example.com']
+CSRF_TRUSTED_ORIGINS_WITH_SCHEME = ['https://*.example.com']
+
+# values are already updated above with default CSRF_TRUSTED_ORIGINS values but in
+# case of new django version these values will override.
+if django.VERSION[0] >= 4:  # for greater than django 3.2 use with schemes.
+    CSRF_TRUSTED_ORIGINS = CSRF_TRUSTED_ORIGINS_WITH_SCHEME