Opened 15 years ago
Closed 15 years ago
#13555 closed (wontfix)
Removing CSRF protection from subclassed django admin sites
| Reported by: | Paul Haesler | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | 1.2-beta |
| Severity: | Keywords: | csrf | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
From Django 1.2, removing CSRF protection for a subclassed admin site is difficult and messy. (Some of my subclassed admin sites use no authentication and allow direct posting from external applications - CSRF protection is therefore inconvenient to say the least).
It would be nice if there was a clean simple way to completely turn CSRF off in sub-classed admin sites. E.g:
class MyAdminSite(AdminSite):
csrf_protection = False
Change History (2)
comment:1 by , 15 years ago
comment:2 by , 15 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Turning off CSRF protection in the admin should *not* be easy: it's a bad idea in 99% of the cases, and making bad things easy isn't a design goal.
Note:
See TracTickets
for help on using tickets.
Properly formatted eg:
class MyAdminSite?(AdminSite?): csrf_protection = False