id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
15794	csrf_exempt decorator applied to http method in class based view - broken	Mike Fogel	nobody	"Decorating anything other than the dispatch() method of a class based view with csrf_exempt doesn't work. For example:

{{{
class MyView(FormView):

    @method_decorator(csrf_exempt)
    def dispatch(self, *args, **kwargs):
        return super(MyView, self).dispatch(*args, **kwargs)

    def post(self, request, *args, **kwargs):
        # ....
        return super(MyView, self).post(request, *args, **kwargs)
}}}

works.

{{{
class MyView(FormView):

    def dispatch(self, *args, **kwargs):
        return super(MyView, self).dispatch(*args, **kwargs)

    @method_decorator(csrf_exempt)
    def post(self, request, *args, **kwargs):
        # ....
        return super(MyView, self).post(request, *args, **kwargs)

}}}

does not work. This returns a 403 - CSRF verification failed.

This is because the as_view() function in [source:django/trunk/django/views/generic/base.py#L54] only carries the !__dict!__ from the dispatch() method forward - not those of post(), get(), etc.

The documentation here [source:django/trunk/docs/topics/class-based-views.txt#L590] claims that csrf_exempt can be applied to the http method names.

Attached is a trivial documentation patch.
"	Bug	closed	Documentation	dev	Normal	fixed			Ready for checkin	1	0	0	0	0	0