Ensure csrf token is available on dashboard panels

Fixes wagtail#7688
jmichalicek · Nov 10, 2021 · 12243e7 · 12243e7
1 parent 80905ea
commit 12243e7
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 0 deletions.
diff --git a/docs/releases/2.15.1.rst b/docs/releases/2.15.1.rst
@@ -17,3 +17,4 @@ Bug fixes
  * Increase version range for django-filter dependency (Serafeim Papastefanos)
  * Prevent bulk action checkboxes from displaying on page reports and other non-explorer listings (Matt Westcott)
  * Fix errors on publishing pages via bulk actions (Matt Westcott)
+ * Fix ``csrf_token`` issue when using the Approve or Unlock buttons on pages on the Wagtail admin home (Matt Westcott)
diff --git a/wagtail/admin/tests/pages/test_page_locking.py b/wagtail/admin/tests/pages/test_page_locking.py
@@ -126,6 +126,16 @@ def test_lock_post_bad_permissions(self):
         self.assertIsNone(page.locked_by)
         self.assertIsNone(page.locked_at)
 
+    def test_locked_pages_dashboard_panel(self):
+        self.child_page.locked = True
+        self.child_page.locked_by = self.user
+        self.child_page.locked_at = timezone.now()
+        self.child_page.save()
+        response = self.client.get(reverse('wagtailadmin_home'))
+        self.assertContains(response, "Your locked pages")
+        # check that LockUnlockAction is present and passes a valid csrf token
+        self.assertRegex(response.content.decode('utf-8'), r"LockUnlockAction\(\'\w+\'\, \'\/admin\/'\)")
+
     def test_unlock_post(self):
         # Lock the page
         self.child_page.locked = True

diff --git a/wagtail/admin/tests/test_moderation_list.py b/wagtail/admin/tests/test_moderation_list.py
@@ -83,6 +83,9 @@ def test_edit_page(self):
         # Check response
         self.assertContains(response, self.edit_page_url, count=2)
 
+        # page should contain Approve and Reject forms including a valid CSRF token
+        self.assertRegex(response.content.decode('utf-8'), r'<input type="hidden" name="csrfmiddlewaretoken" value="\w+">')
+
     def test_preview_for_moderation(self):
         # Login as moderator without edit permissions
         self.login_as_moderator_without_edit()

diff --git a/wagtail/admin/tests/test_workflows.py b/wagtail/admin/tests/test_workflows.py
@@ -1018,6 +1018,12 @@ def test_approve_task_and_workflow(self):
         self.assertEqual(mock_call['instance'], self.page)
         self.assertIsInstance(mock_call['instance'], self.page.specific_class)
 
+    def test_workflow_dashboard_panel(self):
+        response = self.client.get(reverse('wagtailadmin_home'))
+        self.assertContains(response, "Awaiting your review")
+        # check that ActivateWorkflowActionsForDashboard is present and passes a valid csrf token
+        self.assertRegex(response.content.decode('utf-8'), r"ActivateWorkflowActionsForDashboard\(\'\w+\'\)")
+
     def test_workflow_action_get(self):
         """
         This tests that a GET request to the workflow action view (for the approve action) returns a modal with a form for extra data entry:

diff --git a/wagtail/admin/views/home.py b/wagtail/admin/views/home.py
@@ -51,6 +51,7 @@ def get_context_data(self, parent_context):
             user_perms.revisions_for_moderation().select_related('page', 'user').order_by('-created_at')
         )
         context['request'] = request
+        context['csrf_token'] = parent_context['csrf_token']
         return context
 
 
@@ -99,6 +100,7 @@ def get_context_data(self, parent_context):
         else:
             context['states'] = []
         context['request'] = request
+        context['csrf_token'] = parent_context['csrf_token']
         return context
 
 
@@ -117,6 +119,7 @@ def get_context_data(self, parent_context):
             ),
             'can_remove_locks': UserPagePermissionsProxy(request.user).can_remove_locks(),
             'request': request,
+            'csrf_token': parent_context['csrf_token'],
         })
         return context