Apply suggestions from code review

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>

python/ql/lib/semmle/python/Concepts.qll

@@ -106,7 +106,7 @@ module FileSystemWriteAccess {
 }
 
 /**
- * A data-flow node that may set or unset Cross-site request forgery protection
+ * A data-flow node that enables or disables Cross-site request forgery protection
  * in a global manner.
  *
  * Extend this class to refine existing API models. If you want to model new APIs,

python/ql/lib/semmle/python/frameworks/Django.qll

@@ -2330,8 +2330,12 @@ module PrivateDjango {
         mw.asVar().getName() = "MIDDLEWARE" and
         DataFlow::localFlow(this, mw)
       |
-        // it only counts as setting the CSRF protection, if the app uses authentication,
+        // To only include results where CSRF protection matters, we only care about CSRF
-        // so check that the list contains the django authentication middleware.
+        // protection when the django authentication middleware is enabled.
+        // Since an active session cookie is exactly what would allow an attacker to perform
+        // a CSRF attack.
+        // Notice that this does not ensure that this is not a FP, since the authentication
+        // middleware might be unused.
         //
         // This also strongly implies that we are actually looking at the `MIDDLEWARE` setting.
         list.getAnElt().(StrConst).getText() =

python/ql/src/Security/CWE-352/CSRFProtectionDisabled.qhelp

@@ -6,7 +6,7 @@
   <overview>
     <p>
       Cross-site request forgery (CSRF) is a type of vulnerability in which an
-      attacker is able to force a user carry out an action that the user did
+      attacker is able to force a user to carry out an action that the user did
       not intend.
     </p>