Opened 9 years ago

Closed 9 years ago

#14222 closed (invalid)

csrf_exempt decorator is useless if not the top-most decorator

Reported by: Joshua "jag" Ginsberg <jag@…> Owned by: nobody
Component: Uncategorized Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


If a view has multiple decorators and @csrf_exempt is not the top-most, it does not make the view CSRF-exempt. I would expect that anywhere in the decorator chain, the effect would be the same.

Change History (1)

comment:1 Changed 9 years ago by Luke Plant

Resolution: invalid
Status: newclosed

I think this will depend on which other decorators are being used, and whether they use functools.wraps or not. All Django-provided decorators do use functools.wraps or equivalent, as far as I know, and it is not possible to make the decorator work as expected in combination with other decorators that don't.

I'm going to close as INVALID for now, as there isn't enough information to know if there is a bug in Django or not. If you can identify a Django-provided decorator which is misbehaving, please re-open. Thanks!

Note: See TracTickets for help on using tickets.
Back to Top