From 71c6c432a5fe8fe0f96dac284562a8e1b981d669 Mon Sep 17 00:00:00 2001
From: Elrond <elrond+mediagoblin.org@samba-tng.org>
Date: Sat, 3 Dec 2011 21:20:11 +0100
Subject: Bug #685: only provide CSRF token if it exists

This was suggested by Nathan Yergler in the bug logs.
Just implementing it.

- Let render_csrf_form_token return None, if the CSRF_TOKEN
  is not available in the environ, because the
  process_request part of the meddleware has not yet run.

- In render_template: If the returned value from above is
  None, then do not add the csrf_token to the templates
  context.
---
 mediagoblin/meddleware/csrf.py | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'mediagoblin/meddleware')

diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py
index 16541bee..a4e4e5c6 100644
--- a/mediagoblin/meddleware/csrf.py
+++ b/mediagoblin/meddleware/csrf.py
@@ -50,6 +50,9 @@ def render_csrf_form_token(request):
     """Render the CSRF token in a format suitable for inclusion in a
     form."""
 
+    if 'CSRF_TOKEN' not in request.environ:
+        return None
+
     form = CsrfForm(csrf_token=request.environ['CSRF_TOKEN'])
 
     return form.csrf_token
-- 
cgit v1.2.3