#16004 closed Bug (fixed)
csrf_protect does not send cookie if view returns TemplateResponse
| Reported by: | Luke Plant | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | 1.3 |
| Severity: | Release blocker | Keywords: | |
| Cc: | chris@… | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description
See http://groups.google.com/group/django-developers/browse_thread/thread/f96e982254fbe5c3S
The problem is that decorator_from_middleware does not render the response the way that normal handling does.
Note that problem will be hidden if CsrfViewMiddleware is in use.
See also #16003 which is likely related.
Attachments (3)
Change History (12)
by , 13 years ago
| Attachment: | 16004.fix.diff added |
|---|
comment:1 by , 13 years ago
comment:2 by , 13 years ago
| Patch needs improvement: | set |
|---|
There *must* be a better way to fix this, I can't believe that CSRF prevents us from making it easier to customize the admin.
comment:3 by , 13 years ago
It's not just CSRF, decorator_from_middleware is fundamentally broken w.r.t. TemplateResponse. This would be a bug in decorator_from_middleware even if csrf_protect didn't exist.
'gzip_page' is also affected (and would also be fixed by this), but the bigger issue is any 3rd party decorator that happens to use decorator_from_middleware.
And the bigger issue again is TemplateResponse, and the concept of lazy responses. I'm sure there are many other bugs lurking wherever rendering a template has side-effects - such as in django.contrib.messages and django.contrib.session.
comment:4 by , 13 years ago
| Cc: | added |
|---|
by , 13 years ago
| Attachment: | 16004.fix.alternative.diff added |
|---|
comment:7 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
In [16276]:
(The changeset message doesn't reference this ticket)
Fix