On Sep 22, 10:21 pm, "Jacob Kaplan-Moss" <[EMAIL PROTECTED]> wrote: > This makes me think -- is it possible that CSRF protection at the form > level is too low? Perhaps it's something that needs to be happening > at, say, the view level? Some sort of decorator, and/or a tag to spit > out the CSRF token in the template...
Interesting thought. It feels like the form is the right place for this for a couple of reasons: 1. It involves adding an extra form field 2. When a CSRF check fails, it's polite to show a message. Form validation is a good place for this. The downside of doing it at the form level is the need to have access to the request and (potentially) the response as well, for setting a cookie. Doing things at the view level (with a decorator) provides access to both request and response objects, but doesn't provide access to form fields or validation errors. Maybe the answer is a combination of both - a form subclass and a decorator on the view? Will have to think about that. Cheers, Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---