From ba398ce103fad68fd3044e0045f7faead3a05aef Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 13 Jan 2015 15:12:10 +0100
Subject: [PATCH 5/5] Use new CSRF cookie validation on login view (refs #5617)

---
 src/authentic2/auth_frontends.py | 1 +
 src/authentic2/views.py          | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/authentic2/auth_frontends.py b/src/authentic2/auth_frontends.py
index 5f95fb5..5df903b 100644
--- a/src/authentic2/auth_frontends.py
+++ b/src/authentic2/auth_frontends.py
@@ -29,16 +29,17 @@ class LoginPasswordBackend(object):
         form = forms.AuthenticationForm(data=data)
         is_secure = request.is_secure
         context = {
             'submit_name': self.submit_name,
         }
         seconds_to_wait = exponential_backoff.seconds_to_wait(request)
         reset = True
         if is_post and not seconds_to_wait:
+            utils.csrf_token_check(request, form)
             reset = False
             if form.is_valid():
                 if is_secure:
                     how = 'password-on-https'
                 else:
                     how = 'password'
                 exponential_backoff.success(request)
                 return utils.login(request, form.get_user(), how)
diff --git a/src/authentic2/views.py b/src/authentic2/views.py
index 59151c7..a018870 100644
--- a/src/authentic2/views.py
+++ b/src/authentic2/views.py
@@ -21,17 +21,17 @@ from django.core.urlresolvers import reverse
 from django.contrib import messages
 from django.utils.translation import ugettext as _
 from django.utils.http import urlencode, same_origin
 from django.contrib.auth import logout as auth_logout
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.http import (HttpResponseRedirect, HttpResponseForbidden,
     HttpResponse)
 from django.core.exceptions import PermissionDenied
-from django.views.decorators.csrf import csrf_protect
+from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
 from django.views.decorators.cache import never_cache
 from django.contrib.auth.decorators import login_required
 from django.db.models.fields import FieldDoesNotExist
 
 
 # FIXME: this decorator has nothing to do with an idp, should be moved in the
 # a2 package
 # FIXME: this constant should be moved in the a2 package
@@ -175,17 +175,18 @@ class EmailChangeVerifyView(TemplateView):
                 return shortcuts.redirect('account_management')
         return shortcuts.redirect('email-change')
 
 
 email_change_verify = EmailChangeVerifyView.as_view()
 
 logger = logging.getLogger('authentic2.idp.views')
 
-@csrf_protect
+@csrf_exempt
+@ensure_csrf_cookie
 @never_cache
 def login(request, template_name='authentic2/login.html',
           redirect_field_name=REDIRECT_FIELD_NAME):
     """Displays the login form and handles the login action."""
 
     redirect_to = request.REQUEST.get(redirect_field_name)
     if not redirect_to or ' ' in redirect_to:
         redirect_to = settings.LOGIN_REDIRECT_URL
-- 
1.9.1