Documentation should warn against accessing request.POST in middleware
|Reported by:||tomchristie||Owned by:||tomchristie|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This page https://docs.djangoproject.com/en/dev/topics/http/middleware/ ought to include a note warning against accessing request.POST in middleware.
As per Jacob's comment in #613, middleware that hits request.POST should (usually) be considered a bug. It means that the view will be unable to set any custom upload handlers, perform custom parsing of the request body, or enforce permission checks prior to file uploads being accepted.
I'll provide a patch for this when I get a moment. I'd expect the text to be something like:
"Accessing request.POST or request.REQUEST inside middleware from process_request or process_view is bad practice, and should be avoided. (*)
Doing so will prevent any view running after the middleware from being able to modify the upload handlers for the request (link), or being able to access the request content using request.read() or request.raw_post_data.
(*) The CSRFMiddleware can be considered an exception, as it can be disabled by using the @csrf_exempt decorator."
Any suggestions for tweaks to the text or opinions on if/where this should be added on the page?...
Change History (9)
comment:1 Changed 4 years ago by aaugustin
- Easy pickings unset
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Accepted