Opened 4 years ago

Closed 4 years ago

#14222 closed (invalid)

csrf_exempt decorator is useless if not the top-most decorator

Reported by: Joshua "jag" Ginsberg <jag@…> Owned by: nobody
Component: Uncategorized Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


If a view has multiple decorators and @csrf_exempt is not the top-most, it does not make the view CSRF-exempt. I would expect that anywhere in the decorator chain, the effect would be the same.

Attachments (0)

Change History (1)

comment:1 Changed 4 years ago by lukeplant

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

I think this will depend on which other decorators are being used, and whether they use functools.wraps or not. All Django-provided decorators do use functools.wraps or equivalent, as far as I know, and it is not possible to make the decorator work as expected in combination with other decorators that don't.

I'm going to close as INVALID for now, as there isn't enough information to know if there is a bug in Django or not. If you can identify a Django-provided decorator which is misbehaving, please re-open. Thanks!

Add Comment

Modify Ticket

Change Properties
<Author field>
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.