Merge branch 'csrf-fix' into develop

django/website/hid/tests/login_tests.py

+from __future__ import unicode_literals, absolute_import
+
+import pytest
+
+from django.core.urlresolvers import reverse
+from django.test import Client
+from django.utils.six.moves.urllib.parse import urlsplit
+
+from users.models import User
+
+@pytest.mark.django_db
+def test_user_directed_to_login_page_when_csrf_error():
+    username = 'william'
+    password = 'passw0rd'
+
+    User.objects.create_user(username, 'william@example.com', password)
+
+    client = Client(enforce_csrf_checks=True)
+    data = {'username': username,
+            'password': password,
+            'csrfmiddlewaretoken': 'notavalidtoken'}
+    response = client.post(reverse('login'),
+                           data=data, follow=True)
+
+    assert hasattr(response, 'redirect_chain')
+    assert len(response.redirect_chain) > 0, "Response didn't redirect"
+
+    assert response.redirect_chain[0][1] == 302
+    url, _ = response.redirect_chain[-1]
+    scheme, netloc, path, query, fragment = urlsplit(url)
+    assert path == reverse('login')
+
+    url, _ = response.redirect_chain[-2]
+    scheme, netloc, path, query, fragment = urlsplit(url)
+    assert path == reverse('dashboard')
+
+    assert response.status_code == 200

django/website/hid/views.py

 from django.contrib import messages
+from django.contrib.auth.views import login
 from django.core.urlresolvers import reverse
 from django.http import HttpResponseRedirect
 from django.utils.translation import ugettext as _
@@ -220,3 +221,13 @@ def process_items(request):
             messages.error(request, _('Unknown action'))
 
     return HttpResponseRedirect(redirect_url)
+
+
+def csrf_failure(request, reason=''):
+    # If the user presses the back button in the browser to go back to the
+    # login page and logs in again, they will get a CSRF error page because
+    # the token will be wrong.
+    # We override this with a redirect to the dashboard, which if not already
+    # logged in, will redirect to the login page (with a fresh token).
+
+    return HttpResponseRedirect(reverse('dashboard'))

django/website/settings.py

@@ -390,5 +390,6 @@ else:
     )
 ########## END TEMPLATE CONFIGURATION
 
+CSRF_FAILURE_VIEW = 'hid.views.csrf_failure'
 
 ########## Your stuff: Below this line define 3rd party libary settings