security.E101 false positive with class-based views

[Anthony Sottile]

minimal example

class MyView(View):
    def dispatch(self, request, reason=''):
        ...

view = MyView.as_view()

though this appears to work at runtime (at least in unsupported django 2.2 which is what I'm trying to upgrade from), the framework gives an error:

ERRORS:
?: (security.E101) The CSRF failure view 'myview.view' does not take the correct number of arguments.

the reason stems from the use of inspect.signature on the view:

>>> sig = inspect.signature(view)
>>> sig
<Signature (self, request, reason='')>
>>> sig.bind(None, reason=None)
Traceback (most recent call last):
  File "/Users/asottile/.pyenv/versions/3.8.16/lib/python3.8/code.py", line 90, in runcode
    exec(code, self.locals)
  File "<console>", line 1, in <module>
  File "/Users/asottile/.pyenv/versions/3.8.16/lib/python3.8/inspect.py", line 3037, in bind
    return self._bind(args, kwargs)
  File "/Users/asottile/.pyenv/versions/3.8.16/lib/python3.8/inspect.py", line 2952, in _bind
    raise TypeError(msg) from None
TypeError: missing a required argument: 'request'

​https://github.com/django/django/blob/649262a406168709686f97694493aa1f717c6c96/django/core/checks/security/csrf.py#L60

[Mariusz Felisiak]

As far as I'm aware, CSRF_FAILURE_VIEW doesn't support class-based views, at least officially, check out ​docs:

"A dotted path to the view function to be used when an incoming request is rejected by the CSRF protection. The function should have this signature:"

[Mariusz Felisiak]

Also, it works for me with Django 4.2 and on the current main branch. I've checked with Python 3.8 and 3.10.

[Mariusz Felisiak]

Check out ​PR.

[GitHub <noreply@…>]

In c7276a9c:

Refs #34695 -- Added tests for check for CSRF_FAILURE_VIEW signature with valid class-based view.