I have a function based view that should only respond to GET and HEAD
requests so I used the @require_safe decorator.
@require_safe
def myview(request):
# logic
so the expected response from a POST request is a 405 Response Not Allowed.
Using Postman to send a POST to the corresponding url, I actually get
Forbidden 403, CSRF Verification Failed since the default
'django.middleware.csrf.CsrfViewMiddleware' is being used in
MIDDLEWARE_CLASSES to protect all views. This must be happening because the
CSRF middleware checks occur before view specific decorator function checks
like @require_safe, @require_GET, etc.
Is this something to be bothered about? This is a request for advice and
discussion rather than debugging a particular problem. I think I would
prefer if there were a way for Django to check for view decorator
compliance first because I think a 405 response is more descriptive and
appropriate for the attempted action.
However, if there were some middleware to check view decorators and that
middleware class was ordered earlier than the CsrfViewMiddleware, caution
would be needed - Django builtin view
decorators<https://docs.djangoproject.com/en/dev/topics/http/decorators/> seem
safe, but user defined view decorators may allow POSTs without checking the
csrftoken. Thoughts?
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/3fd55d48-bced-429b-9748-c225250ef549%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
