Opened 6 years ago

Closed 6 years ago

#15637 closed New feature (fixed)

Add a require_safe decorator for views to accept GET or HEAD

Reported by: Aymeric Augustin Owned by: nobody
Component: HTTP handling Version: master
Severity: Normal Keywords:
Cc: Tom Christie, leidel@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX:

Description

It is a good practice to reject POST requests on views that are not intended to process them. Django provides the require_GET decorator for this purpose.

Although browsers only implement GET and POST methods, other software such as link checkers uses HEAD requests. Views protected by require_GET will (obviously) reject such requests with "405 Method Not Allowed". I've encountered the problem with the "Check My Links" extension for Google Chrome.

However, RFC2616 says that "The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response." Django already enforces this behavior by stripping the body of the responses to HEAD requests. So I think that in most cases, it makes more sense to accept GET and HEAD than only GET.

That is why I'm proposing a "require_safe" decorator for this purpose.

Attachments (3)

add-require-safe-http-decorator.patch (2.3 KB) - added by Aymeric Augustin 6 years ago.
add-require-safe-http-decorator.2.patch (4.7 KB) - added by Aymeric Augustin 6 years ago.
15637.require_safe.diff (5.9 KB) - added by Julien Phalip 6 years ago.
Tweaked doc

Download all attachments as: .zip

Change History (13)

Changed 6 years ago by Aymeric Augustin

comment:1 Changed 6 years ago by Aymeric Augustin

Has patch: set

comment:2 Changed 6 years ago by Julien Phalip

Triage Stage: UnreviewedAccepted

comment:3 Changed 6 years ago by Julien Phalip

Patch needs improvement: set

The patch looks good but needs a few improvements. The doc should explain why the decorator is called require_safe (i.e. GET and HEAD methods are commonly referred to as "safe" methods), and the tests should actually check that the decorator actually only allows GET and HEAD requests.

Changed 6 years ago by Aymeric Augustin

comment:4 Changed 6 years ago by Aymeric Augustin

Patch needs improvement: unset

Thanks for accepting the feature, julien. Here is a new patch with more details in the documentation and more tests.

comment:5 Changed 6 years ago by Tom Christie

Cc: Tom Christie added

comment:6 Changed 6 years ago by Luke Plant

Type: New feature

comment:7 Changed 6 years ago by Luke Plant

Severity: Normal

Changed 6 years ago by Julien Phalip

Attachment: 15637.require_safe.diff added

Tweaked doc

comment:8 Changed 6 years ago by Julien Phalip

Triage Stage: AcceptedReady for checkin

Great work, thank you. I've just made a few minor improvements to the doc.

comment:9 Changed 6 years ago by Jannis Leidel

Cc: leidel@… added
Easy pickings: unset

comment:10 Changed 6 years ago by Jannis Leidel

Resolution: fixed
Status: newclosed

In [16115]:

Fixed #15637 -- Added a require_safe decorator for views to accept GET or HEAD. Thanks, aaugustin and Julien.

Note: See TracTickets for help on using tickets.
Back to Top