Opened 12 months ago

Closed 12 months ago

Last modified 12 months ago

#35062 closed Bug (invalid)

Update csrf.py to check request.POST if request.method is not GET

Reported by: Peter Jones Owned by: nobody
Component: CSRF Version: 4.2
Severity: Normal Keywords:
Cc: Mirza Baig Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

When trying to determine request_csrf_token within csrf.py, request.method == "POST" fails (CSRF token missing) if you use custom middle ware that handles a form field _method to convert request.method to PUT/DELETE... etc. I use this middle ware since HTML forms can only use GET and POST, and I want my page to work even when JavaScript is disabled.

Change django/middleware/csrf.py (line 365)

if request.method == "POST":

To

if request.method != "GET":

Change History (4)

comment:1 by Mariusz Felisiak, 12 months ago

Resolution: invalid
Status: newclosed

Thanks for this report, however if you're using a custom middleware to convert POST to PUT/PATCH/DELETE then you can also use your own CsrfViewMiddleware subclass to handle them. It doesn't need to be handle by Django itself. We don't usually include workarounds for niche edge cases.

comment:2 by Mirza Baig, 12 months ago

Cc: Mirza Baig added

Has it been solved?

comment:3 by Peter Jones, 12 months ago

I've enhanced my middleware to address both the Request method limitation and the CSRF header issue for HTML forms. Despite these improvements, I believe Django, as 'the web framework for perfectionists,' should inherently offer better support for scenarios where JavaScript is disabled in the browser. Prioritizing accessibility and functionality in a no-JavaScript environment aligns with the high standards Django sets for web development.

https://www.reddit.com/r/webdev/comments/mfnxnj/why_your_website_should_work_without_javascript/

comment:4 by Natalia Bidart, 12 months ago

Hello Peter!

One one hand, if you disagree with the resolution, you can alternatively propose and discuss the idea/request with the community and gain consensus. To do that, you could start a new conversation on the Django Forum, where you'll reach a wider audience and potentially get extra feedback.

On the other hand, it would be important to explain in detail how the change you suggest affects working with/without Javascript enabled. I have multiple sites where javascript is not required at all and they do not need this change.

Note: See TracTickets for help on using tickets.
Back to Top