Documentation should warn against accessing request.POST in middleware
|Reported by:||Tom Christie||Owned by:||Tom Christie|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This page https://docs.djangoproject.com/en/dev/topics/http/middleware/ ought to include a note warning against accessing request.POST in middleware.
As per Jacob's comment in #613, middleware that hits
request.POST should (usually) be considered a bug. It means that the view will be unable to set any custom upload handlers, perform custom parsing of the request body, or enforce permission checks prior to file uploads being accepted.
I'll provide a patch for this when I get a moment. I'd expect the text to be something like:
request.REQUEST inside middleware from
process_view is bad practice, and should be avoided. (*)
Doing so will prevent any view running after the middleware from being able to modify the upload handlers for the request (link), or being able to access the request content using
CSRFMiddleware can be considered an exception, as it can be disabled by using the
Any suggestions for tweaks to the text or opinions on if/where this should be added on the page?...
Change History (9)
comment:1 Changed 5 years ago by
|Patch needs improvement:||unset|
|Triage Stage:||Unreviewed → Accepted|