Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#24389 closed Bug (fixed)

CSRF error page requires DjangoTemplates backend

Reported by: Tzu-ping Chung Owned by: Aymeric Augustin
Component: Template system Version: 1.8alpha1
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Tzu-ping Chung)

When a CSRF error is raised in debug mode, the technical page require DjangoTemplates to be rendered. If you have your TEMPLATES setting configured without a DjangoTemplates entry, you will instead get an ImproperlyConfigured: No DjangoTemplates backend is configured. error. This can be resolved if you add a DjangoTemplates entry to the TEMPLATES setting, but since many error pages (500, 404, etc.) work without DjangoTemplates, this one probably should, too.

To reproduce:

  1. Create a new project.
  1. Change the TEMPLATES setting to not include a DjangoTemplates entry, e.g. 
TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.jinja2.Jinja2',
        'DIRS': [],
        'APP_DIRS': True,
        'OPTIONS': {
        },
    },
]
  1. Create a view, and send a POST request to it in the browser, without the CSRF token.

Change History (7)

comment:1 by Tzu-ping Chung, 10 years ago

Description: modified (diff)

comment:2 by Tzu-ping Chung, 10 years ago

I dug into this a bit, and the reason this is happening is that django.views.csrf.csrf_failure is hard-wired to use django.template.Template, while other error pages (in django.views.debug) use Engine(debug=True).from_string instead. Changing

t = Template(CSRF_FAILURE_TEMPLATE)

to

t = Engine().from_string(CSRF_FAILURE_TEMPLATE)

resolves the problem. Should this be configured with debug=True as in django.views.debug? Things seem to work both with and without that parameter.

comment:3 by Aymeric Augustin, 10 years ago

Owner: changed from nobody to Aymeric Augustin
Severity: NormalRelease blocker
Status: newassigned
Triage Stage: UnreviewedAccepted

Indeed, I forgot to render the CSRF failure view with a bare-bones Engines like I did for the debug views.

comment:4 by Aymeric Augustin <aymeric.augustin@…>, 10 years ago

Resolution: fixed
Status: assignedclosed

In 88a5f17d25a25dbd2ebcf905dcecc45ce78a1615:

Fixed #24389 -- Isolated the CSRF view from the TEMPLATES setting.

Thanks uranusjr for the report and analysis.

comment:5 by Aymeric Augustin <aymeric.augustin@…>, 10 years ago

In c564033408e02306ab7b98c81696faedd733156a:

[1.8.x] Fixed #24389 -- Isolated the CSRF view from the TEMPLATES setting.

Thanks uranusjr for the report and analysis.

Backport of 88a5f17 from master

comment:6 by Aymeric Augustin <aymeric.augustin@…>, 10 years ago

In 556a74879f5c2d382927b5b68451c76d344e29e4:

Fixed a few uses of Template that relied on a default engine.

Refs #24389.

comment:7 by Aymeric Augustin <aymeric.augustin@…>, 10 years ago

In 19c2fe04a83fb03408a239e6553ffcbefde60346:

[1.8.x] Fixed a few uses of Template that relied on a default engine.

Refs #24389.

Backport of 556a748 from master

Note: See TracTickets for help on using tickets.
Back to Top