Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#15794 closed Bug (fixed)

csrf_exempt decorator applied to http method in class based view - broken

Reported by: carbonXT Owned by: nobody
Component: Documentation Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Decorating anything other than the dispatch() method of a class based view with csrf_exempt doesn't work. For example:

class MyView(FormView):

    @method_decorator(csrf_exempt)
    def dispatch(self, *args, **kwargs):
        return super(MyView, self).dispatch(*args, **kwargs)

    def post(self, request, *args, **kwargs):
        # ....
        return super(MyView, self).post(request, *args, **kwargs)

works.

class MyView(FormView):

    def dispatch(self, *args, **kwargs):
        return super(MyView, self).dispatch(*args, **kwargs)

    @method_decorator(csrf_exempt)
    def post(self, request, *args, **kwargs):
        # ....
        return super(MyView, self).post(request, *args, **kwargs)

does not work. This returns a 403 - CSRF verification failed.

This is because the as_view() function in [source:django/trunk/django/views/generic/base.py#L54] only carries the __dict__ from the dispatch() method forward - not those of post(), get(), etc.

The documentation here [source:django/trunk/docs/topics/class-based-views.txt#L590] claims that csrf_exempt can be applied to the http method names.

Attached is a trivial documentation patch.

Attachments (1)

documentation.diff (914 bytes) - added by carbonXT 4 years ago.

Download all attachments as: .zip

Change History (4)

Changed 4 years ago by carbonXT

comment:1 Changed 4 years ago by lukeplant

  • Component changed from Generic views to Documentation
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Ready for checkin

I agree that we should fix the documentation to say that you should decorate the dispatch method. In some cases, it may be possible to decorate the get/post/etc methods etc. but that depends on the nature of the decorator.

It would be possible to 'fix' this by copying attributes from the get/post/etc methods but that is problematic - we can't actually enumerate what all those methods are for a start, and this approach is only going to work for some types of decorators, and otherwise cause confusing and inconsistent behaviour.

comment:2 Changed 4 years ago by gabrielhurley

  • Resolution set to fixed
  • Status changed from new to closed

In [16056]:

Fixed #15794 -- Corrected an error in the docs which indicated applying decorators to any of the view-like methods would work when it will only work reliably with dispatch.

comment:3 Changed 4 years ago by gabrielhurley

In [16057]:

[1.3.X] Fixed #15794 -- Corrected an error in the docs which indicated applying decorators to any of the view-like methods would work when it will only work reliably with dispatch. Thanks to carbonXT for the report and patch.

Backport of [16056] from trunk.

Note: See TracTickets for help on using tickets.
Back to Top