#12933 closed (fixed)
self.admin_site.admin_view() disables @csrf_view_exempt, should have csrf_protected=True arg
| Reported by: | philomat | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | 1.2-beta |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If a use the csrf_view_exempt decorator on an admin view and expose that view in the get_urls() method using the admin_view decorator, the view will always be decorated with csrf_protect – making the exempt useless.
I think admin_view should either check whether the view is alreay exempted, or have a csrf_protected=True arg similar to the cacheable arg.
Attachments (1)
Change History (6)
comment:1 by , 15 years ago
| milestone: | → 1.2 |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
by , 15 years ago
| Attachment: | fix_admin_view_csrf_exempt.diff added |
|---|
comment:2 by , 15 years ago
| Has patch: | set |
|---|
comment:3 by , 15 years ago
| Component: | Uncategorized → django.contrib.admin |
|---|
comment:4 by , 15 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
This patch should fix the problem.