Context Navigation

← Previous Ticket
Next Ticket →

#13555 closed (wontfix)

Removing CSRF protection from subclassed django admin sites

Reported by:	Paul Haesler	Owned by:	nobody
Component:	contrib.admin	Version:	1.2-beta
Severity:		Keywords:	csrf
Cc:		Triage Stage:	Unreviewed
Has patch:	no	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description ¶

From Django 1.2, removing CSRF protection for a subclassed admin site is difficult and messy. (Some of my subclassed admin sites use no authentication and allow direct posting from external applications - CSRF protection is therefore inconvenient to say the least).

It would be nice if there was a clean simple way to completely turn CSRF off in sub-classed admin sites. E.g:

class MyAdminSite(AdminSite):

csrf_protection = False

Change History (2)

comment:1 by Paul Haesler, 15 years ago

Properly formatted eg:

class MyAdminSite?(AdminSite?):

    csrf_protection = False

comment:2 by Jacob, 15 years ago

Resolution:	→ wontfix
Status:	new → closed

Turning off CSRF protection in the admin should *not* be easy: it's a bad idea in 99% of the cases, and making bad things easy isn't a design goal.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues

Context Navigation

#13555 closed (wontfix)

Removing CSRF protection from subclassed django admin sites

Description ¶

Change History (2)

comment:1 by Paul Haesler, 15 years ago

comment:2 by Jacob, 15 years ago

Download in other formats:

Django Links

Learn More

Get Involved

Get Help

Follow Us

Support Us