#16004 closed Bug (fixed)
csrf_protect does not send cookie if view returns TemplateResponse
Reported by: | Luke Plant | Owned by: | nobody |
---|---|---|---|
Component: | CSRF | Version: | 1.3 |
Severity: | Release blocker | Keywords: | |
Cc: | chris@… | Triage Stage: | Accepted |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
See http://groups.google.com/group/django-developers/browse_thread/thread/f96e982254fbe5c3S
The problem is that decorator_from_middleware
does not render the response the way that normal handling does.
Note that problem will be hidden if CsrfViewMiddleware
is in use.
See also #16003 which is likely related.
Attachments (3)
Change History (12)
by , 13 years ago
Attachment: | 16004.fix.diff added |
---|
comment:1 by , 13 years ago
comment:2 by , 13 years ago
Patch needs improvement: | set |
---|
There *must* be a better way to fix this, I can't believe that CSRF prevents us from making it easier to customize the admin.
comment:3 by , 13 years ago
It's not just CSRF, decorator_from_middleware
is fundamentally broken w.r.t. TemplateResponse
. This would be a bug in decorator_from_middleware even if csrf_protect didn't exist.
'gzip_page' is also affected (and would also be fixed by this), but the bigger issue is any 3rd party decorator that happens to use decorator_from_middleware
.
And the bigger issue again is TemplateResponse
, and the concept of lazy responses. I'm sure there are many other bugs lurking wherever rendering a template has side-effects - such as in django.contrib.messages and django.contrib.session.
comment:4 by , 13 years ago
Cc: | added |
---|
by , 13 years ago
Attachment: | 16004.fix.alternative.diff added |
---|
comment:7 by , 13 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
In [16276]:
(The changeset message doesn't reference this ticket)
Fix