Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#15794 closed Bug (fixed)

csrf_exempt decorator applied to http method in class based view - broken

Reported by: Mike Fogel Owned by: nobody
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Decorating anything other than the dispatch() method of a class based view with csrf_exempt doesn't work. For example:

class MyView(FormView):

    @method_decorator(csrf_exempt)
    def dispatch(self, *args, **kwargs):
        return super(MyView, self).dispatch(*args, **kwargs)

    def post(self, request, *args, **kwargs):
        # ....
        return super(MyView, self).post(request, *args, **kwargs)

works.

class MyView(FormView):

    def dispatch(self, *args, **kwargs):
        return super(MyView, self).dispatch(*args, **kwargs)

    @method_decorator(csrf_exempt)
    def post(self, request, *args, **kwargs):
        # ....
        return super(MyView, self).post(request, *args, **kwargs)

does not work. This returns a 403 - CSRF verification failed.

This is because the as_view() function in [source:django/trunk/django/views/generic/base.py#L54] only carries the __dict__ from the dispatch() method forward - not those of post(), get(), etc.

The documentation here [source:django/trunk/docs/topics/class-based-views.txt#L590] claims that csrf_exempt can be applied to the http method names.

Attached is a trivial documentation patch.

Attachments (1)

documentation.diff (914 bytes ) - added by Mike Fogel 13 years ago.

Download all attachments as: .zip

Change History (4)

by Mike Fogel, 13 years ago

Attachment: documentation.diff added

comment:1 by Luke Plant, 13 years ago

Component: Generic viewsDocumentation
Triage Stage: UnreviewedReady for checkin

I agree that we should fix the documentation to say that you should decorate the dispatch method. In some cases, it may be possible to decorate the get/post/etc methods etc. but that depends on the nature of the decorator.

It would be possible to 'fix' this by copying attributes from the get/post/etc methods but that is problematic - we can't actually enumerate what all those methods are for a start, and this approach is only going to work for some types of decorators, and otherwise cause confusing and inconsistent behaviour.

comment:2 by Gabriel Hurley, 13 years ago

Resolution: fixed
Status: newclosed

In [16056]:

Fixed #15794 -- Corrected an error in the docs which indicated applying decorators to any of the view-like methods would work when it will only work reliably with dispatch.

comment:3 by Gabriel Hurley, 13 years ago

In [16057]:

[1.3.X] Fixed #15794 -- Corrected an error in the docs which indicated applying decorators to any of the view-like methods would work when it will only work reliably with dispatch. Thanks to carbonXT for the report and patch.

Backport of [16056] from trunk.

Note: See TracTickets for help on using tickets.
Back to Top