From 39030c668310fcfdc163d2aa9afdeb894a675463 Mon Sep 17 00:00:00 2001
From: Will Daly <will@edx.org>
Date: Wed, 31 Jul 2013 16:40:54 -0400
Subject: [PATCH] Remove CSRF middleware/processor in aws and dev settings, not
 common.  This ensures that we load the MITX_FEATURES token BEFORE deciding to
 disable CSRF.

---
 cms/envs/aws.py    |  8 ++++++++
 cms/envs/common.py | 10 ++--------
 cms/envs/dev.py    |  9 +++++++++
 lms/envs/aws.py    | 12 ++++++++----
 lms/envs/common.py | 10 ++--------
 lms/envs/dev.py    |  9 +++++++++
 6 files changed, 38 insertions(+), 20 deletions(-)

diff --git a/cms/envs/aws.py b/cms/envs/aws.py
index 339425fee5f..17815c14ea1 100644
--- a/cms/envs/aws.py
+++ b/cms/envs/aws.py
@@ -126,6 +126,14 @@ LOGGING = get_logger_config(LOG_DIR,
 #theming start:
 PLATFORM_NAME = ENV_TOKENS.get('PLATFORM_NAME', 'edX')
 
+# Disable CSRF for load testing
+if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
+    exclude_csrf = lambda elem: not elem in \
+                   ['django.core.context_processors.csrf',
+                    'django.middleware.csrf.CsrfViewMiddleware']
+    TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS)
+    MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES)
+
 
 ################ SECURE AUTH ITEMS ###############################
 # Secret things: passwords, access keys, etc.
diff --git a/cms/envs/common.py b/cms/envs/common.py
index bdb3ec6fdeb..f5b74c326b3 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -105,12 +105,9 @@ TEMPLATE_CONTEXT_PROCESSORS = (
     'django.core.context_processors.static',
     'django.contrib.messages.context_processors.messages',
     'django.contrib.auth.context_processors.auth',  # this is required for admin
+    'django.core.context_processors.csrf'
 )
 
-# add csrf support unless disabled for load testing
-if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
-    TEMPLATE_CONTEXT_PROCESSORS += ('django.core.context_processors.csrf',)  # necessary for csrf protection
-
 LMS_BASE = None
 
 #################### CAPA External Code Evaluation #############################
@@ -141,6 +138,7 @@ MIDDLEWARE_CLASSES = (
     'request_cache.middleware.RequestCache',
     'django.middleware.cache.UpdateCacheMiddleware',
     'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'method_override.middleware.MethodOverrideMiddleware',
 
@@ -157,10 +155,6 @@ MIDDLEWARE_CLASSES = (
     'django.middleware.transaction.TransactionMiddleware'
 )
 
-# add in csrf middleware unless disabled for load testing
-if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
-    MIDDLEWARE_CLASSES = MIDDLEWARE_CLASSES + ('django.middleware.csrf.CsrfViewMiddleware',)
-
 ############################ SIGNAL HANDLERS ################################
 # This is imported to register the exception signal handling that logs exceptions
 import monitoring.exceptions  # noqa
diff --git a/cms/envs/dev.py b/cms/envs/dev.py
index 0b0a62f05d9..acabe1a4b8c 100644
--- a/cms/envs/dev.py
+++ b/cms/envs/dev.py
@@ -182,6 +182,15 @@ SEGMENT_IO_KEY = os.environ.get('SEGMENT_IO_KEY')
 if SEGMENT_IO_KEY:
     MITX_FEATURES['SEGMENT_IO'] = True
 
+########################## LOAD TESTING ########################
+
+# Disable CSRF for load testing
+if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
+    exclude_csrf = lambda elem: not elem in \
+                   ['django.core.context_processors.csrf',
+                    'django.middleware.csrf.CsrfViewMiddleware']
+    TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS)
+    MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES)
 
 #####################################################################
 # Lastly, see if the developer has any local overrides.
diff --git a/lms/envs/aws.py b/lms/envs/aws.py
index e039219be86..cec2133ae9e 100644
--- a/lms/envs/aws.py
+++ b/lms/envs/aws.py
@@ -10,7 +10,6 @@ Common traits:
 # We intentionally define lots of variables that aren't used, and
 # want to import all variables from base settings files
 # pylint: disable=W0401, W0614
-
 import json
 
 from .common import *
@@ -178,9 +177,14 @@ for name, value in ENV_TOKENS.get("CODE_JAIL", {}).items():
 
 COURSES_WITH_UNSAFE_CODE = ENV_TOKENS.get("COURSES_WITH_UNSAFE_CODE", [])
 
-# automatic log in for load testing
-MITX_FEATURES['AUTOMATIC_AUTH_FOR_LOAD_TESTING'] = ENV_TOKENS.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING')
-MITX_FEATURES['MAX_AUTO_AUTH_USERS'] = ENV_TOKENS.get('MAX_AUTO_AUTH_USERS')
+# Disable CSRF for load testing
+if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
+    exclude_csrf = lambda elem: not elem in \
+                   ['django.core.context_processors.csrf',
+                    'django.middleware.csrf.CsrfViewMiddleware']
+    TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS)
+    MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES)
+
 
 ############################## SECURE AUTH ITEMS ###############
 # Secret things: passwords, access keys, etc.
diff --git a/lms/envs/common.py b/lms/envs/common.py
index 95b2af422e3..dea5d1bc7c6 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -223,6 +223,7 @@ TEMPLATE_CONTEXT_PROCESSORS = (
     'django.contrib.messages.context_processors.messages',
     #'django.core.context_processors.i18n',
     'django.contrib.auth.context_processors.auth',  # this is required for admin
+    'django.core.context_processors.csrf',
 
     # Added for django-wiki
     'django.core.context_processors.media',
@@ -235,10 +236,6 @@ TEMPLATE_CONTEXT_PROCESSORS = (
     'mitxmako.shortcuts.marketing_link_context_processor',
 )
 
-# add csrf support unless disabled for load testing
-if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
-    TEMPLATE_CONTEXT_PROCESSORS += ('django.core.context_processors.csrf',)  # necessary for csrf protection
-
 STUDENT_FILEUPLOAD_MAX_SIZE = 4 * 1000 * 1000  # 4 MB
 MAX_FILEUPLOADS_PER_INPUT = 20
 
@@ -483,6 +480,7 @@ MIDDLEWARE_CLASSES = (
     'django.contrib.messages.middleware.MessageMiddleware',
     'track.middleware.TrackMiddleware',
     'mitxmako.middleware.MakoMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
 
     'course_wiki.course_nav.Middleware',
 
@@ -493,10 +491,6 @@ MIDDLEWARE_CLASSES = (
     'codejail.django_integration.ConfigureCodeJailMiddleware',
 )
 
-# add in csrf middleware unless disabled for load testing
-if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
-    MIDDLEWARE_CLASSES = MIDDLEWARE_CLASSES + ('django.middleware.csrf.CsrfViewMiddleware',)
-
 ############################### Pipeline #######################################
 
 STATICFILES_STORAGE = 'pipeline.storage.PipelineCachedStorage'
diff --git a/lms/envs/dev.py b/lms/envs/dev.py
index 8547db013f3..090ca02a056 100644
--- a/lms/envs/dev.py
+++ b/lms/envs/dev.py
@@ -255,6 +255,15 @@ SEGMENT_IO_LMS_KEY = os.environ.get('SEGMENT_IO_LMS_KEY')
 if SEGMENT_IO_LMS_KEY:
     MITX_FEATURES['SEGMENT_IO_LMS'] = True
 
+########################## LOAD TESTING ########################
+
+# Disable CSRF for load testing
+if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'):
+    exclude_csrf = lambda elem: not elem in \
+                   ['django.core.context_processors.csrf',
+                    'django.middleware.csrf.CsrfViewMiddleware']
+    TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS)
+    MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES)
 
 ########################## USER API ########################
 EDX_API_KEY = None
-- 
GitLab