id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31360	Is `request.csrf_processing_done` part of the public CSRF protection API?	Jaap Roes	nobody	"I've used a combination of `@csrf_exempt` and `@requires_csrf_token` to customize CSRF protection for a specific view in my project (as recommended in the docs: https://docs.djangoproject.com/en/3.0/ref/csrf/#scenarios).

By looking at the implementation of the `CsrfViewMiddleware` I noticed that `csrf_processing_done` is set to `True` on the `request` object when a requests is ""accepted"" (i.e. passes the `CSRF` tests).

I've used this implementation detail in my custom handling of a specif case of CSRF failure. When the result `getattr(request, 'csrf_processing_done', False)` is `False` I assume that the request has failed the CSRF test.

The Django docs do not mention this special `request` attribute, yet it's not prefixed with an underscore. So I'm unsure if I can rely on this attribute to be available after a Django upgrade.

Should I consider `csrf_processing_done` as an implementation detail that can change at any time? Or is it part of the public API that is it missing documentation?

If it's not part of the public API, is there some other way a view can be made to handle CSRF failure in a custom way?"	Cleanup/optimization	closed	CSRF	3.0	Normal	invalid			Unreviewed	0	0	0	0	0	0