id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 20908 csrf_exempt does not work with `__call__` akshar nobody "Suppose my view is like: class Resource(object): @csrf_exempt def __call__(self, request, `*args`, `**kwargs`): #dispatch to any other method and get response #return response #urls.py resource = Resource() url(r'resource/$', resource, name='resource') Now if I try to make a POST request to this url, it gives '403 Forbidden'. Same issue on SO can be found at http://stackoverflow.com/questions/10252238/csrf-exempt-stopped-working-in-django-1-4 What I guess is happening: On line https://github.com/django/django/blob/1.5/django/core/handlers/base.py#L104 If it were a function based view, `callback` would have been a csrf_exempt decorated function and CsrfViewMiddleware processing would have left it to pass without raising a 403, because this decorated function would have had an attribute `csrf_exempt`. But since it is not a FBV, `callback` says it is still an object, something like . So, function decoration of __call__ has not taken place till this point and so the CsrfViewMiddleware returns a 403." Bug closed CSRF 1.5 Normal invalid Unreviewed 0 0 0 0 0 0