Hi Dalton, > Is this something to be bothered about? This is a request for advice and discussion rather than debugging a particular problem. I think I would prefer if there were a way for Django to check for view decorator compliance first because I think a 405 response is more descriptive and appropriate for the attempted action.
IMO the whole require_http_methods family should be fixed to work with the CSRF machinery or at least it should be documented that when using those decorators and allowing *non-safe* methods you must exempt the decorated views from CSRF checks (@csrf_exempt). Could you file a ticket<https://docs.djangoproject.com/en/dev/internals/contributing/>to report this incompatibility? Simon Le dimanche 15 décembre 2013 11:38:10 UTC-5, Dalton Hubble a écrit : > > I have a function based view that should only respond to GET and HEAD > requests so I used the @require_safe decorator. > > @require_safe > def myview(request): > # logic > > so the expected response from a POST request is a 405 Response Not Allowed. > > Using Postman to send a POST to the corresponding url, I actually get > Forbidden 403, CSRF Verification Failed since the default > 'django.middleware.csrf.CsrfViewMiddleware' is being used in > MIDDLEWARE_CLASSES to protect all views. This must be happening because the > CSRF middleware checks occur before view specific decorator function checks > like @require_safe, @require_GET, etc. > > Is this something to be bothered about? This is a request for advice and > discussion rather than debugging a particular problem. I think I would > prefer if there were a way for Django to check for view decorator > compliance first because I think a 405 response is more descriptive and > appropriate for the attempted action. > > However, if there were some middleware to check view decorators and that > middleware class was ordered earlier than the CsrfViewMiddleware, caution > would be needed - Django builtin view > decorators<https://docs.djangoproject.com/en/dev/topics/http/decorators/> > seem > safe, but user defined view decorators may allow POSTs without checking the > csrftoken. Thoughts? > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/f62c1cb1-4bc8-45f6-b83f-45d7fb4e9965%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
