Add (failing) test for middleware responses during preview

Responses returned by middleware (e.g. authentication failure) while creating the dummy request for a page preview. However, the current (broken) behaviour is to ignore the response, and attempt to serve the preview using the resulting request - which is likely to have incompletely-applied middleware, leading to hard-to-debug issues (usually involving a missing request.site).
2026-05-02 12:34:46 +00:00 · 2019-07-10 17:28:33 +02:00 · 2019-07-10 17:28:33 +02:00 · 1d9e0acfb8
commit 1d9e0acfb8
parent 6358d84fa9
3 changed files with 30 additions and 0 deletions
--- a/wagtail/admin/tests/test_pages_views.py
+++ b/wagtail/admin/tests/test_pages_views.py
@ -1,6 +1,7 @@
 import datetime
 import logging
 import os
+import unittest
 from itertools import chain
 from unittest import mock

@ -5275,6 +5276,19 @@ class TestDraftAccess(TestCase, WagtailTestUtils):
        # User can view
        self.assertEqual(response.status_code, 200)

+    @unittest.expectedFailure
+    def test_middleware_response_is_returned(self):
+        """
+        If middleware returns a response while serving a page preview, that response should be
+        returned back to the user
+        """
+        self.login()
+        response = self.client.get(
+            reverse('wagtailadmin_pages:view_draft', args=(self.child_page.id, )),
+            HTTP_USER_AGENT='EvilHacker'
+        )
+        self.assertEqual(response.status_code, 403)
+

 class TestPreview(TestCase, WagtailTestUtils):
    fixtures = ['test.json']
--- a/wagtail/tests/middleware.py
+++ b/wagtail/tests/middleware.py
@ -0,0 +1,15 @@
+from django.http import HttpResponseForbidden
+from django.utils.deprecation import MiddlewareMixin
+
+
+class BlockDodgyUserAgentMiddleware(MiddlewareMixin):
+    # Used to test that we're correctly handling responses returned from middleware during page
+    # previews. If a client with user agent "EvilHacker" calls an admin view that performs a
+    # preview, the request to /admin/... will pass this middleware, but the fake request used for
+    # the preview (which keeps the user agent header, but uses the URL path of the front-end page)
+    # will trigger a Forbidden response. In this case, the expected behaviour is to return that
+    # response back to the user.
+
+    def process_request(self, request):
+        if not request.path.startswith('/admin/') and request.META.get('HTTP_USER_AGENT') == 'EvilHacker':
+            return HttpResponseForbidden("Forbidden")
--- a/wagtail/tests/settings.py
+++ b/wagtail/tests/settings.py
@ -94,6 +94,7 @@ MIDDLEWARE = (
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',

+    'wagtail.tests.middleware.BlockDodgyUserAgentMiddleware',
    'wagtail.core.middleware.SiteMiddleware',
    'wagtail.contrib.redirects.middleware.RedirectMiddleware',
 )