Monday, February 28, 2011

CSRF token can be only rendered in CSRF protected views

I was not able to describe my problems to ticket on first attempt, so
I try here before creation of another ticket.


We use CSRF protection on almost all POST requests, but we encountered
some limitations of CSRF protection as currently implemented in
django.

- You can not render POST form in unprotected views, not even if user
has CSRF cookie already set.
- If you render such form, you will always end up in CSRF failure
view, because input with csrf_token has value set to some replacement
string
- I had to overcome this problem by copying part of middleware
that sets csrf cookie to request.META. Alternative solution is to call
CSRF check manually and throw away the result
- Call CSRF check manually (not middleware or decorator) is not very
handy, code for that looks like

result = CsrfViewMiddleware().process_view(request, lambda:
None, None, None)
# if None is returned, than it is OK
if result:
# Store data back to session to prevent their loss
return result

This call is not very pretty, especially because second argument is
only used to check if view was exempt from CSRF protection and last
two are mandatory for process_view method of middleware and are not
used in csrf check.

My questions are
- is correct my assumption that rendering CSRF token in unprotected
view should be possible or am I missing something
- is reasonable requirement to call CSRF check manually

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment