Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#12933 closed (fixed)

self.admin_site.admin_view() disables @csrf_view_exempt, should have csrf_protected=True arg

Reported by: philomat Owned by: nobody
Component: contrib.admin Version: 1.2-beta
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

If a use the csrf_view_exempt decorator on an admin view and expose that view in the get_urls() method using the admin_view decorator, the view will always be decorated with csrf_protect – making the exempt useless.

I think admin_view should either check whether the view is alreay exempted, or have a csrf_protected=True arg similar to the cacheable arg.

Attachments (1)

fix_admin_view_csrf_exempt.diff (557 bytes) - added by philomat 5 years ago.
This patch should fix the problem.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 5 years ago by russellm

  • milestone set to 1.2
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

Changed 5 years ago by philomat

This patch should fix the problem.

comment:2 Changed 5 years ago by philomat

  • Has patch set

comment:3 Changed 5 years ago by russellm

  • Component changed from Uncategorized to django.contrib.admin

comment:4 Changed 5 years ago by lukeplant

  • Resolution set to fixed
  • Status changed from new to closed

(In [12619]) Fixed #12933 - AdminSite.admin_view disables @csrf_view_exempt

Thanks to philomat for report and patch.

comment:5 Changed 4 years ago by jacob

  • milestone 1.2 deleted

Milestone 1.2 deleted

Note: See TracTickets for help on using tickets.
Back to Top