Customises the CSRF failure view so that it uses the LCA2017 style (#53)

* Customises the CSRF failure view so that it uses the LCA2017 style * If a user is logged in and there is a bad_token failure, let them know.
2016-07-17 01:52:04 -06:00 · 2016-07-17 01:52:04 -06:00 · 6eef5efcfb
commit 6eef5efcfb
parent 51640e9893
3 changed files with 118 additions and 2 deletions
--- a/pinaxcon/csrf_view.py
+++ b/pinaxcon/csrf_view.py
@ -0,0 +1,42 @@
+from django.conf import settings
+from django.http import HttpResponseForbidden
+from django.shortcuts import redirect
+from django.template import Context, RequestContext, loader
+from django.utils.translation import ugettext as _
+from django.utils.version import get_docs_version
+
+def csrf_failure(request, reason=""):
+
+    from django.middleware.csrf import REASON_BAD_TOKEN, REASON_NO_REFERER, REASON_NO_CSRF_COOKIE
+    t = loader.get_template("403_csrf.html")
+    c = Context({
+        'title': _("Forbidden"),
+        'main': _("CSRF verification failed. Request aborted."),
+        'reason': reason,
+        'bad_token': reason == REASON_BAD_TOKEN,
+        'no_referer': reason == REASON_NO_REFERER,
+        'no_referer1': _(
+            "You are seeing this message because this HTTPS site requires a "
+            "'Referer header' to be sent by your Web browser, but none was "
+            "sent. This header is required for security reasons, to ensure "
+            "that your browser is not being hijacked by third parties."),
+        'no_referer2': _(
+            "If you have configured your browser to disable 'Referer' headers, "
+            "please re-enable them, at least for this site, or for HTTPS "
+            "connections, or for 'same-origin' requests."),
+        'no_cookie': reason == REASON_NO_CSRF_COOKIE,
+        'no_cookie1': _(
+            "You are seeing this message because this site requires a CSRF "
+            "cookie when submitting forms. This cookie is required for "
+            "security reasons, to ensure that your browser is not being "
+            "hijacked by third parties."),
+        'no_cookie2': _(
+            "If you have configured your browser to disable cookies, please "
+            "re-enable them, at least for this site, or for 'same-origin' "
+            "requests."),
+        'DEBUG': settings.DEBUG,
+        'docs_version': get_docs_version(),
+        'more': _("More information is available with DEBUG=True."),
+    })
+    c = RequestContext(request, c)
+    return HttpResponseForbidden(t.render(c), content_type='text/html')
--- a/pinaxcon/settings.py
+++ b/pinaxcon/settings.py
@ -251,9 +251,11 @@ PROPOSAL_FORMS = {
 WAGTAIL_SITE_NAME = 'linux.conf.au 2017'
 WAGTAIL_APPEND_SLASH = True

-
 ATTENDEE_PROFILE_FORM = "pinaxcon.registrasion.forms.ProfileForm"

+# CSRF custom error screen
+CSRF_FAILURE_VIEW = "pinaxcon.csrf_view.csrf_failure"
+
 # Use nose to run all tests
 TEST_RUNNER = 'django_nose.NoseTestSuiteRunner'

@ -270,4 +272,4 @@ except NameError:
    try:
        from local_settings import *
    except ImportError:
-        pass
+        pass
--- a/pinaxcon/templates/403_csrf.html
+++ b/pinaxcon/templates/403_csrf.html
@ -0,0 +1,72 @@
+{% extends "site_base_wagtail.html" %}
+{% load staticfiles %}
+{% load wagtailcore_tags %}
+
+{% load sitetree %}
+{% load i18n %}
+
+{% block body_class %}template-blogpage{% endblock %}
+
+{% block head_title %}{{ page.title }}{% endblock %}
+
+{% block body %}
+  {% block content %}
+    {% include "cms_pages/content_page_header_panel.html" %}
+    <div class="l-content-page">
+      <div class="l-content-page--richtext">
+        <h2>{{ title }} <span>(403)</span></h2>
+
+        <p>{{ main }}</p>
+
+        {% if bad_token and request.user.is_authenticated %}
+          <p>You are already logged in. If you saw this issue whilst attempting
+            to log in, you can to go to the
+            <a href='{% url "dashboard" %}'>Dashboard</a> and continue using
+            the site.</p>
+        {% endif %}
+
+        {% if no_referer %}
+          <p>{{ no_referer1 }}</p>
+          <p>{{ no_referer2 }}</p>
+        {% endif %}
+        {% if no_cookie %}
+          <p>{{ no_cookie1 }}</p>
+          <p>{{ no_cookie2 }}</p>
+        {% endif %}
+
+        {% if DEBUG %}
+          <h2>Help</h2>
+            {% if reason %}
+            <p>Reason given for failure:</p>
+            <pre>
+            {{ reason }}
+            </pre>
+            {% endif %}
+          <p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when
+          <a
+          href="https://docs.djangoproject.com/en/{{ docs_version }}/ref/csrf/">Django's
+          CSRF mechanism</a> has not been used correctly.  For POST forms, you need to
+          ensure:</p>
+          <ul>
+            <li>Your browser is accepting cookies.</li>
+            <li>The view function passes a <code>request</code> to the template's <a
+            href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a>
+            method.</li>
+            <li>In the template, there is a <code>{% templatetag openblock %} csrf_token
+            {% templatetag closeblock %}</code> template tag inside each POST form that
+            targets an internal URL.</li>
+            <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use
+            <code>csrf_protect</code> on any views that use the <code>csrf_token</code>
+            template tag, as well as those that accept the POST data.</li>
+          </ul>
+          <p>You're seeing the help section of this page because you have <code>DEBUG =
+          True</code> in your Django settings file. Change that to <code>False</code>,
+          and only the initial error message will be displayed.  </p>
+          <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>
+        {% else %}
+          <p><small>{{ more }}</small></p>
+        {% endif %}
+      </div>
+    </div>
+  {% endblock %}
+{% endblock %}