mirror of
https://github.com/django/django.git
synced 2024-11-21 19:09:18 +01:00
Refs #31949 -- Made @xframe_options_(deny/sameorigin/exempt) decorators to work with async functions.
This commit is contained in:
parent
b43936f2ec
commit
00f5d2d110
1
AUTHORS
1
AUTHORS
@ -137,6 +137,7 @@ answer newbie questions, and generally made Django that much better:
|
||||
Ben Godfrey <http://aftnn.org>
|
||||
Benjamin Wohlwend <piquadrat@gmail.com>
|
||||
Ben Khoo <khoobks@westnet.com.au>
|
||||
Ben Lomax <lomax.on.the.run@gmail.com>
|
||||
Ben Slavin <benjamin.slavin@gmail.com>
|
||||
Ben Sturmfels <ben@sturm.com.au>
|
||||
Berker Peksag <berker.peksag@gmail.com>
|
||||
|
@ -1,5 +1,7 @@
|
||||
from functools import wraps
|
||||
|
||||
from asgiref.sync import iscoroutinefunction
|
||||
|
||||
|
||||
def xframe_options_deny(view_func):
|
||||
"""
|
||||
@ -12,14 +14,23 @@ def xframe_options_deny(view_func):
|
||||
...
|
||||
"""
|
||||
|
||||
@wraps(view_func)
|
||||
def wrapper_view(*args, **kwargs):
|
||||
resp = view_func(*args, **kwargs)
|
||||
if resp.get("X-Frame-Options") is None:
|
||||
resp["X-Frame-Options"] = "DENY"
|
||||
return resp
|
||||
if iscoroutinefunction(view_func):
|
||||
|
||||
return wrapper_view
|
||||
async def _view_wrapper(*args, **kwargs):
|
||||
response = await view_func(*args, **kwargs)
|
||||
if response.get("X-Frame-Options") is None:
|
||||
response["X-Frame-Options"] = "DENY"
|
||||
return response
|
||||
|
||||
else:
|
||||
|
||||
def _view_wrapper(*args, **kwargs):
|
||||
response = view_func(*args, **kwargs)
|
||||
if response.get("X-Frame-Options") is None:
|
||||
response["X-Frame-Options"] = "DENY"
|
||||
return response
|
||||
|
||||
return wraps(view_func)(_view_wrapper)
|
||||
|
||||
|
||||
def xframe_options_sameorigin(view_func):
|
||||
@ -33,14 +44,23 @@ def xframe_options_sameorigin(view_func):
|
||||
...
|
||||
"""
|
||||
|
||||
@wraps(view_func)
|
||||
def wrapper_view(*args, **kwargs):
|
||||
resp = view_func(*args, **kwargs)
|
||||
if resp.get("X-Frame-Options") is None:
|
||||
resp["X-Frame-Options"] = "SAMEORIGIN"
|
||||
return resp
|
||||
if iscoroutinefunction(view_func):
|
||||
|
||||
return wrapper_view
|
||||
async def _view_wrapper(*args, **kwargs):
|
||||
response = await view_func(*args, **kwargs)
|
||||
if response.get("X-Frame-Options") is None:
|
||||
response["X-Frame-Options"] = "SAMEORIGIN"
|
||||
return response
|
||||
|
||||
else:
|
||||
|
||||
def _view_wrapper(*args, **kwargs):
|
||||
response = view_func(*args, **kwargs)
|
||||
if response.get("X-Frame-Options") is None:
|
||||
response["X-Frame-Options"] = "SAMEORIGIN"
|
||||
return response
|
||||
|
||||
return wraps(view_func)(_view_wrapper)
|
||||
|
||||
|
||||
def xframe_options_exempt(view_func):
|
||||
@ -53,10 +73,18 @@ def xframe_options_exempt(view_func):
|
||||
...
|
||||
"""
|
||||
|
||||
@wraps(view_func)
|
||||
def wrapper_view(*args, **kwargs):
|
||||
resp = view_func(*args, **kwargs)
|
||||
resp.xframe_options_exempt = True
|
||||
return resp
|
||||
if iscoroutinefunction(view_func):
|
||||
|
||||
return wrapper_view
|
||||
async def _view_wrapper(*args, **kwargs):
|
||||
response = await view_func(*args, **kwargs)
|
||||
response.xframe_options_exempt = True
|
||||
return response
|
||||
|
||||
else:
|
||||
|
||||
def _view_wrapper(*args, **kwargs):
|
||||
response = view_func(*args, **kwargs)
|
||||
response.xframe_options_exempt = True
|
||||
return response
|
||||
|
||||
return wraps(view_func)(_view_wrapper)
|
||||
|
@ -90,6 +90,11 @@ that tells the middleware not to set the header::
|
||||
iframe, you may need to modify the :setting:`CSRF_COOKIE_SAMESITE` or
|
||||
:setting:`SESSION_COOKIE_SAMESITE` settings.
|
||||
|
||||
.. versionchanged:: 5.0
|
||||
|
||||
Support for wrapping asynchronous view functions was added to the
|
||||
``@xframe_options_exempt`` decorator.
|
||||
|
||||
Setting ``X-Frame-Options`` per view
|
||||
------------------------------------
|
||||
|
||||
@ -113,6 +118,11 @@ decorators::
|
||||
Note that you can use the decorators in conjunction with the middleware. Use of
|
||||
a decorator overrides the middleware.
|
||||
|
||||
.. versionchanged:: 5.0
|
||||
|
||||
Support for wrapping asynchronous view functions was added to the
|
||||
``@xframe_options_deny`` and ``@xframe_options_sameorigin`` decorators.
|
||||
|
||||
Limitations
|
||||
===========
|
||||
|
||||
|
@ -233,9 +233,13 @@ CSRF
|
||||
Decorators
|
||||
~~~~~~~~~~
|
||||
|
||||
* The :func:`~django.views.decorators.cache.cache_control` and
|
||||
:func:`~django.views.decorators.cache.never_cache` decorators now support
|
||||
wrapping asynchronous view functions.
|
||||
* The following decorators now support wrapping asynchronous view functions:
|
||||
|
||||
* :func:`~django.views.decorators.cache.cache_control`
|
||||
* :func:`~django.views.decorators.cache.never_cache`
|
||||
* ``xframe_options_deny()``
|
||||
* ``xframe_options_sameorigin()``
|
||||
* ``xframe_options_exempt()``
|
||||
|
||||
Email
|
||||
~~~~~
|
||||
|
@ -83,6 +83,9 @@ view functions:
|
||||
|
||||
* :func:`~django.views.decorators.cache.cache_control`
|
||||
* :func:`~django.views.decorators.cache.never_cache`
|
||||
* ``xframe_options_deny()``
|
||||
* ``xframe_options_sameorigin()``
|
||||
* ``xframe_options_exempt()``
|
||||
|
||||
For example::
|
||||
|
||||
|
@ -1,3 +1,5 @@
|
||||
from asgiref.sync import iscoroutinefunction
|
||||
|
||||
from django.http import HttpRequest, HttpResponse
|
||||
from django.middleware.clickjacking import XFrameOptionsMiddleware
|
||||
from django.test import SimpleTestCase
|
||||
@ -9,6 +11,20 @@ from django.views.decorators.clickjacking import (
|
||||
|
||||
|
||||
class XFrameOptionsDenyTests(SimpleTestCase):
|
||||
def test_wrapped_sync_function_is_not_coroutine_function(self):
|
||||
def sync_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
wrapped_view = xframe_options_deny(sync_view)
|
||||
self.assertIs(iscoroutinefunction(wrapped_view), False)
|
||||
|
||||
def test_wrapped_async_function_is_coroutine_function(self):
|
||||
async def async_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
wrapped_view = xframe_options_deny(async_view)
|
||||
self.assertIs(iscoroutinefunction(wrapped_view), True)
|
||||
|
||||
def test_decorator_sets_x_frame_options_to_deny(self):
|
||||
@xframe_options_deny
|
||||
def a_view(request):
|
||||
@ -17,8 +33,30 @@ class XFrameOptionsDenyTests(SimpleTestCase):
|
||||
response = a_view(HttpRequest())
|
||||
self.assertEqual(response.headers["X-Frame-Options"], "DENY")
|
||||
|
||||
async def test_decorator_sets_x_frame_options_to_deny_async_view(self):
|
||||
@xframe_options_deny
|
||||
async def an_async_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
response = await an_async_view(HttpRequest())
|
||||
self.assertEqual(response.headers["X-Frame-Options"], "DENY")
|
||||
|
||||
|
||||
class XFrameOptionsSameoriginTests(SimpleTestCase):
|
||||
def test_wrapped_sync_function_is_not_coroutine_function(self):
|
||||
def sync_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
wrapped_view = xframe_options_sameorigin(sync_view)
|
||||
self.assertIs(iscoroutinefunction(wrapped_view), False)
|
||||
|
||||
def test_wrapped_async_function_is_coroutine_function(self):
|
||||
async def async_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
wrapped_view = xframe_options_sameorigin(async_view)
|
||||
self.assertIs(iscoroutinefunction(wrapped_view), True)
|
||||
|
||||
def test_decorator_sets_x_frame_options_to_sameorigin(self):
|
||||
@xframe_options_sameorigin
|
||||
def a_view(request):
|
||||
@ -27,8 +65,30 @@ class XFrameOptionsSameoriginTests(SimpleTestCase):
|
||||
response = a_view(HttpRequest())
|
||||
self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN")
|
||||
|
||||
async def test_decorator_sets_x_frame_options_to_sameorigin_async_view(self):
|
||||
@xframe_options_sameorigin
|
||||
async def an_async_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
response = await an_async_view(HttpRequest())
|
||||
self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN")
|
||||
|
||||
|
||||
class XFrameOptionsExemptTests(SimpleTestCase):
|
||||
def test_wrapped_sync_function_is_not_coroutine_function(self):
|
||||
def sync_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
wrapped_view = xframe_options_exempt(sync_view)
|
||||
self.assertIs(iscoroutinefunction(wrapped_view), False)
|
||||
|
||||
def test_wrapped_async_function_is_coroutine_function(self):
|
||||
async def async_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
wrapped_view = xframe_options_exempt(async_view)
|
||||
self.assertIs(iscoroutinefunction(wrapped_view), True)
|
||||
|
||||
def test_decorator_stops_x_frame_options_being_set(self):
|
||||
"""
|
||||
@xframe_options_exempt instructs the XFrameOptionsMiddleware to NOT set
|
||||
@ -48,3 +108,18 @@ class XFrameOptionsExemptTests(SimpleTestCase):
|
||||
# middleware's functionality.
|
||||
middleware_response = XFrameOptionsMiddleware(a_view)(request)
|
||||
self.assertIsNone(middleware_response.get("X-Frame-Options"))
|
||||
|
||||
async def test_exempt_decorator_async_view(self):
|
||||
@xframe_options_exempt
|
||||
async def an_async_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
request = HttpRequest()
|
||||
response = await an_async_view(request)
|
||||
self.assertIsNone(response.get("X-Frame-Options"))
|
||||
self.assertIs(response.xframe_options_exempt, True)
|
||||
|
||||
# The real purpose of the exempt decorator is to suppress the
|
||||
# middleware's functionality.
|
||||
middleware_response = await XFrameOptionsMiddleware(an_async_view)(request)
|
||||
self.assertIsNone(middleware_response.get("X-Frame-Options"))
|
||||
|
Loading…
Reference in New Issue
Block a user