Code

Opened 4 years ago

Closed 4 years ago

#13555 closed (wontfix)

Removing CSRF protection from subclassed django admin sites

Reported by: spaceman_paul Owned by: nobody
Component: contrib.admin Version: 1.2-beta
Severity: Keywords: csrf
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

From Django 1.2, removing CSRF protection for a subclassed admin site is difficult and messy. (Some of my subclassed admin sites use no authentication and allow direct posting from external applications - CSRF protection is therefore inconvenient to say the least).

It would be nice if there was a clean simple way to completely turn CSRF off in sub-classed admin sites. E.g:

class MyAdminSite(AdminSite):

csrf_protection = False

Attachments (0)

Change History (2)

comment:1 Changed 4 years ago by spaceman_paul

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Properly formatted eg:

class MyAdminSite?(AdminSite?):

    csrf_protection = False

comment:2 Changed 4 years ago by jacob

  • Resolution set to wontfix
  • Status changed from new to closed

Turning off CSRF protection in the admin should *not* be easy: it's a bad idea in 99% of the cases, and making bad things easy isn't a design goal.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.