Django

Code

Ticket #5515 (new)

Opened 2 years ago

Last modified 4 months ago

CSRF has hard-encoded error page

Reported by: Piotr Lewandowski <django@icomputing.biz> Assigned to:
Milestone: Component: Contrib apps
Version: SVN Keywords:
Cc: ubanus@users.sf.net, alexkon@gmail.com Triage Stage: Design decision needed
Has patch: 1 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

CSFR Middleware has hard-encoded error page in _ERROR_MSG string. It should be located in a separate template -- just like Http500 or Http404 error pages are.

Attachments

5515_make_403_errors_customizable.diff (8.8 kB) - added by progprog on 12/01/07 02:40:19.
Patch to make 403 responses work like 404 and 500 responses (customizable via handler)

Change History

09/16/07 17:20:20 changed by ubernostrum

  • needs_better_patch changed.
  • stage changed from Unreviewed to Accepted.
  • needs_tests changed.
  • needs_docs changed.

11/30/07 22:00:44 changed by progprog

  • owner changed from nobody to progprog.
  • status changed from new to assigned.

12/01/07 02:40:19 changed by progprog

  • attachment 5515_make_403_errors_customizable.diff added.

Patch to make 403 responses work like 404 and 500 responses (customizable via handler)

12/01/07 02:45:42 changed by progprog

  • owner deleted.
  • status changed from assigned to new.
  • has_patch set to 1.
  • summary changed from CSFR has hard-encoded error page to CSRF has hard-encoded error page.

Patch with tests added.

I decided that in general Django should have customizable 403 pages, a la 404/500, so my patch deals with a larger scope than is described by this ticket. After making 403 customizable, the CSRF middleware simply raises the PermissionDenied? exception with a custom message, and get_response() handles the rest.

One consequence of this is that a 403.html template will have to be declared, similar to 404.html and 500.html.

12/01/07 22:17:06 changed by Simon G <dev@simon.net.nz>

  • stage changed from Accepted to Ready for checkin.

(follow-up: ↓ 6 ) 12/04/07 13:21:27 changed by jacob

  • stage changed from Ready for checkin to Design decision needed.

I'd like to have more discussion on this before checking it in. I don't like the feature creap of handler403... handler447 is only one more step down that slippery slope.

(in reply to: ↑ 5 ) 12/09/07 00:16:00 changed by progprog

Replying to jacob:

I'd like to have more discussion on this before checking it in. I don't like the feature creap of handler403... handler447 is only one more step down that slippery slope.

I agree - as I was doing the ticket I thought "Django needs a more generic way to do this." However, designing and implementing a system of generic hooks for different response codes could take weeks or months, and this patch does fulfill an immediate need, so I decided to forge ahead anyway.

08/26/08 12:52:52 changed by Jakub Wilk <ubanus@users.sf.net>

  • cc set to ubanus@users.sf.net.

09/03/08 06:03:28 changed by anonymous

  • milestone set to post-1.0.

01/29/09 08:05:11 changed by alexkon

  • cc changed from ubanus@users.sf.net to ubanus@users.sf.net, alexkon@gmail.com.

02/25/09 13:51:44 changed by

  • milestone deleted.

Milestone post-1.0 deleted

Add/Change #5515 (CSRF has hard-encoded error page)




Change Properties
Action