#12933 closed (fixed)
self.admin_site.admin_view() disables @csrf_view_exempt, should have csrf_protected=True arg
Reported by: | philomat | Owned by: | nobody |
---|---|---|---|
Component: | contrib.admin | Version: | 1.2-beta |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
If a use the csrf_view_exempt decorator on an admin view and expose that view in the get_urls() method using the admin_view decorator, the view will always be decorated with csrf_protect – making the exempt useless.
I think admin_view should either check whether the view is alreay exempted, or have a csrf_protected=True arg similar to the cacheable arg.
Attachments (1)
Change History (6)
comment:1 by , 15 years ago
milestone: | → 1.2 |
---|---|
Triage Stage: | Unreviewed → Accepted |
by , 15 years ago
Attachment: | fix_admin_view_csrf_exempt.diff added |
---|
comment:2 by , 15 years ago
Has patch: | set |
---|
comment:3 by , 15 years ago
Component: | Uncategorized → django.contrib.admin |
---|
comment:4 by , 15 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
This patch should fix the problem.