id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
32843	Some CSRF tests leave request.method set to None	Chris Jerdonek	Chris Jerdonek	"I noticed that for some CSRF tests, `request.method` is `None` when the test thinks it should be `GET`. This causes `CsrfViewMiddleware.process_view()` to take a different code path and treat the request as unsafe because the method isn't in its allowed list:
https://github.com/django/django/blob/316cc34d046ad86e100227772294f906fae1c2e5/django/middleware/csrf.py#L338-L339

The cause for this is that neither implementation of `_get_GET_csrf_cookie_request()` sets `req.method`. See [https://github.com/django/django/blob/316cc34d046ad86e100227772294f906fae1c2e5/tests/csrf_tests/tests.py#L773-L779 here] and [https://github.com/django/django/blob/316cc34d046ad86e100227772294f906fae1c2e5/tests/csrf_tests/tests.py#L971-L977 here].

The tests affected are:

* `csrf_tests.tests.CsrfViewMiddlewareTests.test_get_token_for_requires_csrf_token_view`
* `csrf_tests.tests.CsrfViewMiddlewareTests.test_token_node_with_csrf_cookie`
* `csrf_tests.tests.CsrfViewMiddlewareUseSessionsTests.test_get_token_for_requires_csrf_token_view`
* `csrf_tests.tests.CsrfViewMiddlewareUseSessionsTests.test_token_node_with_csrf_cookie`

Fortunately, the tests still pass when `request.method` is set to `GET`."	Cleanup/optimization	closed	CSRF	dev	Normal	fixed			Accepted	1	0	0	0	0	0