Bug #685: only provide CSRF token if it exists

This was suggested by Nathan Yergler in the bug logs.
Just implementing it.

- Let render_csrf_form_token return None, if the CSRF_TOKEN
  is not available in the environ, because the
  process_request part of the meddleware has not yet run.

- In render_template: If the returned value from above is
  None, then do not add the csrf_token to the templates
  context.

2 files changed, 6 insertions, 1 deletions

diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py
index 16541bee..a4e4e5c6 100644
--- a/mediagoblin/meddleware/csrf.py
+++ b/mediagoblin/meddleware/csrf.py
@@ -50,6 +50,9 @@ def render_csrf_form_token(request):
     """Render the CSRF token in a format suitable for inclusion in a
     form."""
 
+    if 'CSRF_TOKEN' not in request.environ:
+        return None
+
     form = CsrfForm(csrf_token=request.environ['CSRF_TOKEN'])
 
     return form.csrf_token
diff --git a/mediagoblin/tools/template.py b/mediagoblin/tools/template.py
index f48b7c2e..d0400347 100644
--- a/mediagoblin/tools/template.py
+++ b/mediagoblin/tools/template.py
@@ -79,7 +79,9 @@ def render_template(request, template_path, context):
     template = request.template_env.get_template(
         template_path)
     context['request'] = request
-    context['csrf_token'] = render_csrf_form_token(request)
+    rendered_csrf_token = render_csrf_form_token(request)
+    if rendered_csrf_token is not None:
+        context['csrf_token'] = render_csrf_form_token(request)
     rendered = template.render(context)
 
     if common.TESTS_ENABLED: