Re: Proposal: django.forms.SafeForm - forms with built in CSRF protection

Mon, 22 Sep 2008 16:28:02 -0700 

On Sep 22, 9:41 pm, Brian Beck <[EMAIL PROTECTED]> wrote:
> - If there's some other way to spell form.protect(response).

Here's a crazy idea that might just work:

class AddArticleForm(forms.SafeForm):
    headline = forms.CharField()
    # ...

def add_article(request):
    form = AddArticleForm(request)
    if form.is_valid():
        # Process the data in form.cleaned_data
        return HttpResponseRedirect('/done/')
    return form.render('add_article.html', {
        'extra_context_args': 'Go here',
    })

We're doing a bunch of interesting things here. First, it's
AddArticleForm.__init__ itself that looks at request.method and
decides if it's going to bind to the data (if request.method ==
'POST') or simply create a new blank form. Second, we're using
form.render() instead of render_to_response. form.render is a thin
wrapper around render_to_response that does the following:

1. Adds 'form' to the context - a "form_var='article_form'" keyword
argument could be used to change this default behaviour
2. Uses a RequestContext (with the request that was passed to
AddArticleForm.__init__) - I can't think of any reason not to
3. Creates the HttpResponse using render_to_response
4. Sets a CSRF cookie on the response, if necessary

This solves all of our problems in one shot (the need to sometimes set
a cookie, having access to the request, etc), with the added bonus of
reducing the amount of view boilerplate needed to use a form to the
absolute minimum.

The significant downside is that having a render() method on a form
that performs the same function as render_to_response feels really,
really strange. It's convenient, but it just doesn't feel right and
I'm not sure I can justify it.

Interesting option though.

Cheers,

Simon


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to