Change microcopy for missing csrf to follow mismatched csrf. Fix tests.

rouilj · rouilj · commit ef3f0079fb07 · 2019-07-15T20:59:12.000-04:00
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -1252,7 +1252,7 @@ def handle_csrf(self, xmlrpc=False):
         if key is None: # we do not have an @csrf token
             if enforce == 'required':
                 logger.error(self._("Required csrf field missing for user%s"), current_user)
-                raise UsageError(self._("Csrf token is missing."))
+                raise UsageError(self._("We can't validate your session (csrf failure). Re-enter any unsaved data and try again."))
             elif enforce == 'logfailure':
                     # FIXME include url
                     logger.warning(self._("csrf field not supplied by user%s"), current_user)
diff --git a/test/test_cgi.py b/test/test_cgi.py
@@ -958,7 +958,7 @@ def hasPermission(s, p, classname=None, d=None, e=None, **kw):
         # roundup will report a missing token.
         cl.db.config['WEB_CSRF_ENFORCE_TOKEN'] = 'required'
         cl.inner_main()
-        match_at=out[0].find('<p>Csrf token is missing.</p>')
+        match_at=out[0].find("<p>We can't validate your session (csrf failure). Re-enter any unsaved data and try again.</p>")
         print("result of subtest 6a:", out[0], match_at)
         self.assertEqual(match_at, 33)
         del(out[0])
@@ -971,7 +971,7 @@ def hasPermission(s, p, classname=None, d=None, e=None, **kw):
         cl.form = db_test_base.makeForm(form2)
 
         cl.inner_main()
-        match_at=out[0].find('Invalid csrf token found: booogus')
+        match_at=out[0].find("We can't validate your session (csrf failure). Re-enter any unsaved data and try again.")
         print("result of subtest 7:", out[0])
         self.assertEqual(match_at, 36)
         del(out[0])
@@ -999,7 +999,7 @@ def hasPermission(s, p, classname=None, d=None, e=None, **kw):
         # try a replay attack
         cl.inner_main()
         # This should fail as token was wiped by last run.
-        match_at=out[0].find('Invalid csrf token found: %s'%nonce)
+        match_at=out[0].find("We can't validate your session (csrf failure). Re-enter any unsaved data and try again.")
         print("replay of csrf after post use", out[0])
         print("result of subtest 10:", out[0])
         self.assertEqual(match_at, 36)
@@ -1030,7 +1030,7 @@ def hasPermission(s, p, classname=None, d=None, e=None, **kw):
         cl.env.update({'REQUEST_METHOD': 'POST'})
         print(cl.env)
         cl.inner_main()
-        match_at=out[0].find('Invalid csrf token found: %s'%nonce)
+        match_at=out[0].find("We can't validate your session (csrf failure). Re-enter any unsaved data and try again.")
         print("post failure after get", out[0])
         print("result of subtest 13:", out[0])
         self.assertEqual(match_at, 36)
