Remove CSRF middleware/processor in aws and dev settings,

not common. This ensures that we load the MITX_FEATURES token BEFORE deciding to disable CSRF.

Remove CSRF middleware/processor in aws and dev settings,
not common. This ensures that we load the MITX_FEATURES token BEFORE deciding to disable CSRF.
39030c66 · Will Daly · Will Daly · 8573ac39 · 39030c66 · 39030c66
Commit 39030c66 authored 11 years ago by Will Daly Committed by Will Daly 11 years ago
--- a/cms/envs/aws.py
+++ b/cms/envs/aws.py
@@ -126,6 +126,14 @@ LOGGING = get_logger_config(LOG_DIR,
 #theming start:
 PLATFORM_NAME = ENV_TOKENS.get('PLATFORM_NAME', 'edX')

+# Disable CSRF for load testing
+if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
+    exclude_csrf = lambda elem: not elem in \
+                   ['django.core.context_processors.csrf',
+                    'django.middleware.csrf.CsrfViewMiddleware']
+    TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS)
+    MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES)
+

 ################ SECURE AUTH ITEMS ###############################
 # Secret things: passwords, access keys, etc.

--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -105,12 +105,9 @@ TEMPLATE_CONTEXT_PROCESSORS = (
    'django.core.context_processors.static',
    'django.contrib.messages.context_processors.messages',
    'django.contrib.auth.context_processors.auth',  # this is required for admin
+    'django.core.context_processors.csrf'
 )

-# add csrf support unless disabled for load testing
-if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
-    TEMPLATE_CONTEXT_PROCESSORS += ('django.core.context_processors.csrf',)  # necessary for csrf protection
-
 LMS_BASE = None

 #################### CAPA External Code Evaluation #############################
@@ -141,6 +138,7 @@ MIDDLEWARE_CLASSES = (
    'request_cache.middleware.RequestCache',
    'django.middleware.cache.UpdateCacheMiddleware',
    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'method_override.middleware.MethodOverrideMiddleware',

@@ -157,10 +155,6 @@ MIDDLEWARE_CLASSES = (
    'django.middleware.transaction.TransactionMiddleware'
 )

-# add in csrf middleware unless disabled for load testing
-if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
-    MIDDLEWARE_CLASSES = MIDDLEWARE_CLASSES + ('django.middleware.csrf.CsrfViewMiddleware',)
-
 ############################ SIGNAL HANDLERS ################################
 # This is imported to register the exception signal handling that logs exceptions
 import monitoring.exceptions  # noqa

--- a/cms/envs/dev.py
+++ b/cms/envs/dev.py
@@ -182,6 +182,15 @@ SEGMENT_IO_KEY = os.environ.get('SEGMENT_IO_KEY')
 if SEGMENT_IO_KEY:
    MITX_FEATURES['SEGMENT_IO'] = True

+########################## LOAD TESTING ########################
+
+# Disable CSRF for load testing
+if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
+    exclude_csrf = lambda elem: not elem in \
+                   ['django.core.context_processors.csrf',
+                    'django.middleware.csrf.CsrfViewMiddleware']
+    TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS)
+    MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES)

 #####################################################################
 # Lastly, see if the developer has any local overrides.

--- a/lms/envs/aws.py
+++ b/lms/envs/aws.py
@@ -10,7 +10,6 @@ Common traits:
 # We intentionally define lots of variables that aren't used, and
 # want to import all variables from base settings files
 # pylint: disable=W0401, W0614
-
 import json

 from .common import *
@@ -178,9 +177,14 @@ for name, value in ENV_TOKENS.get("CODE_JAIL", {}).items():

 COURSES_WITH_UNSAFE_CODE = ENV_TOKENS.get("COURSES_WITH_UNSAFE_CODE", [])

-# automatic log in for load testing
-MITX_FEATURES['AUTOMATIC_AUTH_FOR_LOAD_TESTING'] = ENV_TOKENS.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING')
-MITX_FEATURES['MAX_AUTO_AUTH_USERS'] = ENV_TOKENS.get('MAX_AUTO_AUTH_USERS')
+# Disable CSRF for load testing
+if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
+    exclude_csrf = lambda elem: not elem in \
+                   ['django.core.context_processors.csrf',
+                    'django.middleware.csrf.CsrfViewMiddleware']
+    TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS)
+    MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES)
+

 ############################## SECURE AUTH ITEMS ###############
 # Secret things: passwords, access keys, etc.

--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -223,6 +223,7 @@ TEMPLATE_CONTEXT_PROCESSORS = (
    'django.contrib.messages.context_processors.messages',
    #'django.core.context_processors.i18n',
    'django.contrib.auth.context_processors.auth',  # this is required for admin
+    'django.core.context_processors.csrf',

    # Added for django-wiki
    'django.core.context_processors.media',
@@ -235,10 +236,6 @@ TEMPLATE_CONTEXT_PROCESSORS = (
    'mitxmako.shortcuts.marketing_link_context_processor',
 )

-# add csrf support unless disabled for load testing
-if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
-    TEMPLATE_CONTEXT_PROCESSORS += ('django.core.context_processors.csrf',)  # necessary for csrf protection
-
 STUDENT_FILEUPLOAD_MAX_SIZE = 4 * 1000 * 1000  # 4 MB
 MAX_FILEUPLOADS_PER_INPUT = 20

@@ -483,6 +480,7 @@ MIDDLEWARE_CLASSES = (
    'django.contrib.messages.middleware.MessageMiddleware',
    'track.middleware.TrackMiddleware',
    'mitxmako.middleware.MakoMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',

    'course_wiki.course_nav.Middleware',

@@ -493,10 +491,6 @@ MIDDLEWARE_CLASSES = (
    'codejail.django_integration.ConfigureCodeJailMiddleware',
 )

-# add in csrf middleware unless disabled for load testing
-if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
-    MIDDLEWARE_CLASSES = MIDDLEWARE_CLASSES + ('django.middleware.csrf.CsrfViewMiddleware',)
-
 ############################### Pipeline #######################################

 STATICFILES_STORAGE = 'pipeline.storage.PipelineCachedStorage'

--- a/lms/envs/dev.py
+++ b/lms/envs/dev.py
@@ -255,6 +255,15 @@ SEGMENT_IO_LMS_KEY = os.environ.get('SEGMENT_IO_LMS_KEY')
 if SEGMENT_IO_LMS_KEY:
    MITX_FEATURES['SEGMENT_IO_LMS'] = True

+########################## LOAD TESTING ########################
+
+# Disable CSRF for load testing
+if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
+    exclude_csrf = lambda elem: not elem in \
+                   ['django.core.context_processors.csrf',
+                    'django.middleware.csrf.CsrfViewMiddleware']
+    TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS)
+    MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES)

 ########################## USER API ########################
 EDX_API_KEY = None