#20908: csrf_exempt does not work with `__call__`
------------------------------+--------------------
Reporter: akshar | Owner: nobody
Type: Bug | Status: new
Component: contrib.csrf | Version: 1.5
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------
Suppose my view is like:
class Resource(object):
@csrf_exempt
def __call__(self, request, `*args`, `**kwargs`):
#dispatch to any other method and get response
#return response
#urls.py
resource = Resource()
url(r'resource/$', resource, name='resource')
Now if I try to make a POST request to this url, it gives '403 Forbidden'.
Same issue on SO can be found at
http://stackoverflow.com/questions/10252238/csrf-exempt-stopped-working-
in-django-1-4
What I guess is happening:
On line
https://github.com/django/django/blob/1.5/django/core/handlers/base.py#L104
If it were a function based view, `callback` would have been a csrf_exempt
decorated function and CsrfViewMiddleware processing would have left it to
pass without raising a 403, because this decorated function would have had
an attribute `csrf_exempt`.
But since it is not a FBV, `callback` says it is still an object,
something like <app.views.Resource object at 0xb5f8352c>. So, function
decoration of __call__ has not taken place till this point and so the
CsrfViewMiddleware returns a 403.
--
Ticket URL: <https://code.djangoproject.com/ticket/20908>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/049.553c63e252af47c423a0c701bf1a0f16%40djangoproject.com?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
