1
0
mirror of https://github.com/django/django.git synced 2025-10-25 06:36:07 +00:00

Fixed #15518 - documented requires_csrf_token

Thanks to vzima for a report that raised the issue.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16187 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant
2011-05-09 18:27:36 +00:00
parent 1d350a6c51
commit eadcbcb131

View File

@@ -284,6 +284,60 @@ to set cookies). Note that even without CSRF, there are other vulnerabilities,
such as session fixation, that make giving subdomains to untrusted parties a bad
idea, and these vulnerabilities cannot easily be fixed with current browsers.
Edge cases
==========
Certain views can have unusual requirements that mean they don't fit the normal
pattern envisaged here. A number of utilities can be useful in these
situations. The scenarios they might be needed in are described in the following
section.
Utilities
---------
.. module:: django.views.decorators.csrf
.. function:: requires_csrf_token(view)
Normally the :ttag:`csrf_token` template tag will not work if
``CsrfViewMiddleware.process_view`` or an equivalent like ``csrf_protect``
has not run. The view decorator ``requires_csrf_token`` can be used to
ensure the template tag does work. This decorator works similarly to
``csrf_protect``, but never rejects an incoming request.
Example::
from django.views.decorators.csrf import requires_csrf_token
from django.shortcuts import render
@requires_csrf_token
def my_view(request):
c = {}
# ...
return render(request, "a_template.html", c)
Scenarios
---------
CsrfViewMiddleware.process_view not used
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are cases when may not have run before your view is run - 404 and 500
handlers, for example - but you still need the CSRF token in a form.
Solution: use ``requires_csrf_token``
Unprotected view needs the CSRF token
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There may be some views that are unprotected and have been exempted by
``csrf_exempt``, but still need to include the CSRF token.
Solution: use ``csrf_exempt`` followed by ``requires_csrf_token``.
Contrib and reusable apps
=========================