Opened 7 years ago

Closed 7 years ago

Last modified 5 years ago

#12933 closed (fixed)

self.admin_site.admin_view() disables @csrf_view_exempt, should have csrf_protected=True arg

Reported by: philomat Owned by: nobody
Component: contrib.admin Version: 1.2-beta
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

If a use the csrf_view_exempt decorator on an admin view and expose that view in the get_urls() method using the admin_view decorator, the view will always be decorated with csrf_protect – making the exempt useless.

I think admin_view should either check whether the view is alreay exempted, or have a csrf_protected=True arg similar to the cacheable arg.

Attachments (1)

fix_admin_view_csrf_exempt.diff (557 bytes) - added by philomat 7 years ago.
This patch should fix the problem.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 7 years ago by Russell Keith-Magee

milestone: 1.2
Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Triage Stage: UnreviewedAccepted

Changed 7 years ago by philomat

This patch should fix the problem.

comment:2 Changed 7 years ago by philomat

Has patch: set

comment:3 Changed 7 years ago by Russell Keith-Magee

Component: Uncategorizeddjango.contrib.admin

comment:4 Changed 7 years ago by Luke Plant

Resolution: fixed
Status: newclosed

(In [12619]) Fixed #12933 - AdminSite.admin_view disables @csrf_view_exempt

Thanks to philomat for report and patch.

comment:5 Changed 5 years ago by Jacob

milestone: 1.2

Milestone 1.2 deleted

Note: See TracTickets for help on using tickets.
Back to Top