id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23800	Middleware CSRF validation is unclear for PUT and DELETE	Mark Lacomber	nobody	"This may be a duplication of https://code.djangoproject.com/ticket/23040 depending on whether its a bug or just that some of the comments in middleware/csrf.py are a bit unclear.

To re-produce this bug, make a PUT or DELETE request to an endpoint that you are using the csrf_exempt decorator (in my use-case its not from the browser but from a component using its own Basic Auth with Django) and you will get a 403.

This is due to code in the line 161 of the process_view function in middleware/csrf.py which checks if the cookie is missing and if so it rejects the request. The comments say that it is for POST
requests only, so I'm unsure whether the intention was for PUT and DELETE to fall under that category in which case I can add a patch to make the comments
explicitly mention PUT and DELETE. Otherwise I will add a patch so that PUT and DELETE are allowed through to the view which is only a few lines.

Can anyone clarify for me whether it is by intention that PUT and DELETE also fail here if they don't have a CSRF cookie set?

Thanks"	Bug	closed	CSRF	dev	Normal	invalid			Unreviewed	0	0	0	0	0	0