nohype/main-site
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Guard admin messages from leaking to frontend

Browse Source
This commit is contained in:
Claude
2026-03-15 17:28:33 +00:00
parent 1a0617fbd0
commit 9b3992f250
4 changed files with 150 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
apps/core/middleware.py
View File

@@ -2,6 +2,8 @@ from __future__ import annotations
import secrets
from django.contrib.messages import get_messages
from .consent import ConsentService
@@ -40,3 +42,25 @@ class SecurityHeadersMiddleware:
)
response["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()"
return response
class AdminMessageGuardMiddleware:
ADMIN_PREFIXES = ("/cms/", "/django-admin/")
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
# The public site has no legitimate use of Django's shared flash queue.
# Drain any stale admin messages before frontend rendering can see them.
if not request.path.startswith(self.ADMIN_PREFIXES):
storage = get_messages(request)
list(storage)
storage._queued_messages = []
storage._loaded_data = []
for sub_storage in getattr(storage, "storages", []):
sub_storage._queued_messages = []
sub_storage._loaded_data = []
sub_storage.used = True
storage.used = True
return self.get_response(request)

78
apps/core/tests/test_message_handling.py Normal file
View File

@@ -0,0 +1,78 @@
from __future__ import annotations
import pytest
from django.contrib import messages
from django.contrib.auth.models import AnonymousUser
from django.contrib.messages import get_messages
from django.contrib.messages.storage.fallback import FallbackStorage
from django.contrib.sessions.middleware import SessionMiddleware
from django.http import HttpResponse
from django.shortcuts import render
from django.test import RequestFactory, override_settings
from django.urls import include, path
from apps.core.middleware import AdminMessageGuardMiddleware
def admin_message_test_view(request):
messages.success(request, "Page 'Test page' has been updated.")
messages.success(request, "Page 'Test page' has been updated.")
messages.success(request, "Page 'Test page' has been published.")
return render(request, "wagtailadmin/base.html", {})
urlpatterns = [
path("cms/__tests__/admin-messages/", admin_message_test_view),
path("", include("config.urls")),
]
def _build_request(rf: RequestFactory, path: str):
request = rf.get(path)
SessionMiddleware(lambda req: None).process_request(request)
request.session.save()
request.user = AnonymousUser()
setattr(request, "_messages", FallbackStorage(request))
return request
@pytest.mark.django_db
def test_admin_message_guard_clears_stale_messages_on_frontend(rf):
request = _build_request(rf, "/articles/test/")
messages.success(request, "Page 'Test page' has been updated.")
response = AdminMessageGuardMiddleware(lambda req: HttpResponse("ok"))(request)
assert response.status_code == 200
assert list(get_messages(request)) == []
@pytest.mark.django_db
def test_admin_message_guard_preserves_admin_messages(rf):
request = _build_request(rf, "/cms/pages/1/edit/")
messages.success(request, "Page 'Test page' has been updated.")
response = AdminMessageGuardMiddleware(lambda req: HttpResponse("ok"))(request)
remaining = list(get_messages(request))
assert response.status_code == 200
assert len(remaining) == 1
assert remaining[0].message == "Page 'Test page' has been updated."
@pytest.mark.django_db
@override_settings(ROOT_URLCONF="apps.core.tests.test_message_handling")
def test_wagtail_admin_template_deduplicates_consecutive_messages(client, django_user_model):
admin = django_user_model.objects.create_superuser(
username="admin-messages",
email="admin-messages@example.com",
password="admin-pass",
)
client.force_login(admin)
response = client.get("/cms/__tests__/admin-messages/")
content = response.content.decode()
assert response.status_code == 200
assert content.count("has been updated.") == 1
assert content.count("has been published.") == 1