id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
19436	"ensure_csrf_cookie decorator issues a ""CSRF token missing or incorrect"" warning."	wrr@…	Olivier Sels	"I'm using ensure_csrf_cookie decorator to set CSRF protection token with a POST request. The decorator works correctly but it prints incorrect and confusing warning:

'''WARNING django.request Forbidden (CSRF token missing or incorrect.): /auth/api/csrftoken/'''

The warning for sure comes from the decorator, because the application does not use CsrfViewMiddleware. I briefly examined django/views/decorators/csrf.py and django/middleware/csrf.py and it seems that indeed such warning is printed when post method is decorated.

Relevant part of the code that produces warning:


{{{
from django.core.context_processors import csrf
from django.utils.decorators import method_decorator
from django.views.decorators.csrf import ensure_csrf_cookie
from django.views.generic import View

class CsrfToken(View):
    """"""Establishes Cross Site Request Forgery protection token.""""""

    @method_decorator(ensure_csrf_cookie)
    def post(self, request):
        """"""Returns CSRF protection token in a cookie and a response body.""""""
        csrf_token = csrf(request).values()[0]
        return http.HttpResponseOKJson({'csrfToken': str(csrf_token)})
}}}
"	Bug	closed	CSRF	1.4	Normal	fixed	csrf		Ready for checkin	1	0	0	0	0	0