Opened 8 years ago

Closed 8 years ago

#27763 closed Cleanup/optimization (needsinfo)

Docs: check invalid csrftoken on CSRF_FAILURE_VIEW

Reported by: Ramin Farajpour Cami Owned by: nobody
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hi,

settings.CSRF_FAILURE_VIEW alwase render html,when from client side sending request invalid csrftoken:invalid with type:json,

from https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-CSRF_FAILURE_VIEW

def csrf_failure(request, reason=""):
       ...
      # render html page 

while request is type:json and response is type:html, i think we should point this scenario to django docs,

example :

def csrf_failure(request, reason=""):
    if request.is_ajax():
        return HttpResponseForbidden('',
                            content_type='application/json',
                            charset="utf-8")
    return render(...)

Change History (6)

comment:1 by Tim Graham, 8 years ago

Every view might have special handling for AJAX requests. I'm not immediately convinced that documenting this possibility each time adds much value. For example, why not add a similar note to the error views?

comment:2 by Ramin Farajpour Cami, 8 years ago

Every view might have special handling for AJAX requests. Yes,Or like : login_required i know about it, with pass request direct to @login_required def anything(): and request.user.is_authenticate() for AJAX,

but CSRF_FAILURE_VIEW is a custom error handling security, maybe pass AJAX request to send for many action like : def requests(req): and etc
if csrftoken is invalid with this docs user define template for view error of missing csrftoken for AJAX or form request, Understanding is difficult for users beginner how to handle AJAX missing csrftoken!!!!,

I'm not immediately convinced that documenting this possibility each time adds much value again you are right,but I've mentioned above

comment:3 by Tim Graham, 8 years ago

Maybe you didn't find the docs on how to use CSRF and AJAX?

comment:4 by Ramin Farajpour Cami, 8 years ago

Yes,i know

we have 2 way for get csrftoken value :

1- use variable {{ csrft_token }} on tag script
2- use AJAX docs get csrftoken from cookie,
users added settings.CSRF_FAILURE_VIEW="django.views.csrf.csrf_failure()" on settings for your csrftoken missing message(status=403) django,
if is invalid csrftoken he/she will see with current docs render template view, but for normal request,
django need docs a few point to handle AJAX why?
because:
https://github.com/django/django/blob/6a7495051304d75865add6ff96422018984e1663/django/views/csrf.py#L15
CSRF_FAILURE_TEMPLATE is not for example CSRF_FAILURE_AJAX, from fail AJAX always render template,

https://github.com/django/django/blob/6a7495051304d75865add6ff96422018984e1663/django/views/csrf.py#L146

csrf.py message is security error, maybe person set message for different request exam:(normal request, and AJAX requests),here is normal request csrf_failure , in AJAX request nothing example CSRF_FAILURE_AJAX or point docs for check request.is_ajax()

example :

from django.views.decorators.csrf import csrf_exempt, csrf_protect

@csrf_protect
def my_view(request):

     ## call ajax request to this with sending invalid csrftoken 
    @csrf_protect  ##  checked invalid csrftoken and call settings.CSRF_FAILURE_VIEW render default template django and etc
    def protected_path(request):
        do_something()

    if some_condition():
       return protected_path(request)
    else:
       do_something_else()

settings.py

settings.CSRF_FAILURE_VIEW="django.views.csrf.csrf_failure()"

django.views.csrf.csrf_failure() always render html any check AJAX request,

comment:5 by Tim Graham, 8 years ago

I'm trying follow you, but I'm afraid I'm not succeeding because of a language barrier. Do you have a colleague who you could communicate to in your native language who might be able to better communicate in English?

comment:6 by Tim Graham, 8 years ago

Resolution: needsinfo
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top