Add template for 403 CSRF Bad Origin failure

2022-02-21 21:26:12 -08:00 · 2022-02-21 21:26:12 -08:00 · b1ee9fe043
parent a145d4dffa
commit b1ee9fe043
4 changed files with 58 additions and 0 deletions
--- a/babybuddy/settings/base.py
+++ b/babybuddy/settings/base.py
@ -243,6 +243,7 @@ SESSION_COOKIE_HTTPONLY = True
 # https://docs.djangoproject.com/en/4.0/ref/csrf/#settings
 CSRF_COOKIE_HTTPONLY = True
 # CSRF_COOKIE_SECURE = True
+CSRF_FAILURE_VIEW = "babybuddy.views.csrf_failure"
 CSRF_TRUSTED_ORIGINS = list(
    filter(None, os.environ.get("CSRF_TRUSTED_ORIGINS", "").split(","))
 )
--- a/babybuddy/templates/error/403.html
+++ b/babybuddy/templates/error/403.html
--- a/babybuddy/templates/error/403_csrf_bad_origin.html
+++ b/babybuddy/templates/error/403_csrf_bad_origin.html
@ -0,0 +1,29 @@
+{% extends 'babybuddy/base.html' %}
+{% load i18n widget_tweaks %}
+
+{% block title %}403 {{ title }}{% endblock %}
+
+{% block breadcrumb_nav %}{% endblock %}
+
+{% block page %}
+    <div class="container mt-2 mt-lg-5">
+        <div class="row justify-content-md-center">
+            <div class="col-lg-12 mb-4">
+                <div>
+                    <h1>403: {{ title }}</h1>
+                    <div class="alert alert-danger" role="alert">
+                        {{ main }} {{ reason }}
+                    </div>
+                    <div class="jumbotron">
+                        <h2>{% trans "How to Fix" %}</h2>
+                        {% blocktrans trimmed with origin=origin %}
+                            Add <samp>{{ origin }}</samp> to the <code>CSRF_TRUSTED_ORIGINS</code>
+                            environment variable. If multiple origins are required separate
+                            with commas.
+                        {% endblocktrans %}
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+{% endblock %}
--- a/babybuddy/views.py
+++ b/babybuddy/views.py
@ -5,12 +5,16 @@ from django.contrib.auth.forms import PasswordChangeForm
 from django.contrib.auth.models import User
 from django.contrib.auth.views import LogoutView as LogoutViewBase
 from django.contrib.messages.views import SuccessMessageMixin
+from django.http import HttpResponseForbidden
+from django.middleware.csrf import REASON_BAD_ORIGIN
 from django.shortcuts import redirect, render
+from django.template import loader, TemplateDoesNotExist
 from django.urls import reverse, reverse_lazy
 from django.utils import translation
 from django.utils.decorators import method_decorator
 from django.utils.text import format_lazy
 from django.utils.translation import gettext as _, gettext_lazy
+from django.views import csrf
 from django.views.decorators.cache import never_cache
 from django.views.decorators.csrf import csrf_protect
 from django.views.decorators.http import require_POST
@ -25,6 +29,30 @@ from babybuddy import forms
 from babybuddy.mixins import LoginRequiredMixin, PermissionRequiredMixin, StaffOnlyMixin


+def csrf_failure(request, reason=""):
+    """
+    Overrides the 403 CSRF failure template for bad origins in order to provide more
+    userful information about how to resolve the issue.
+    """
+    if (
+        "HTTP_ORIGIN" in request.META
+        and reason == REASON_BAD_ORIGIN % request.META["HTTP_ORIGIN"]
+    ):
+        c = {
+            "title": _("Forbidden"),
+            "main": _("CSRF verification failed. Request aborted."),
+            "reason": reason,
+            "origin": request.META["HTTP_ORIGIN"],
+        }
+        try:
+            t = loader.get_template("error/403_csrf_bad_origin.html")
+            return HttpResponseForbidden(t.render(c), content_type="text/html")
+        except TemplateDoesNotExist:
+            pass
+
+    return csrf.csrf_failure(request, reason, "403_csrf.html")
+
+
 class RootRouter(LoginRequiredMixin, RedirectView):
    """
    Redirects to the site dashboard.