#27763: Docs: check invalid csrftoken on CSRF_FAILURE_VIEW
-------------------------------------+-------------------------------------
Reporter: Ramin Farajpour | Owner: nobody
Cami |
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Ramin Farajpour Cami):
Yes,i know
we have 2 way for get csrftoken value :
1- use variable {{ csrft_token }} on tag script
2- use [https://docs.djangoproject.com/en/1.10/ref/csrf/#ajax AJAX docs]
get csrftoken from cookie,
users added
`settings.CSRF_FAILURE_VIEW="django.views.csrf.csrf_failure()"` on
settings for your csrftoken missing message(status=403) django,
if is invalid `csrftoken` he/she will see with current docs render
template view, but for normal request,
django need docs a few point to handle AJAX why?
because:
https://github.com/django/django/blob/6a7495051304d75865add6ff96422018984e1663/django/views/csrf.py#L15
`CSRF_FAILURE_TEMPLATE` is not for example `CSRF_FAILURE_AJAX`, from fail
AJAX always render template,
https://github.com/django/django/blob/6a7495051304d75865add6ff96422018984e1663/django/views/csrf.py#L146
csrf.py message is security error, maybe person set message for different
request exam:(normal request, and AJAX requests),here is normal request
[https://github.com/django/django/blob/6a7495051304d75865add6ff96422018984e1663/django/views/csrf.py#L103
csrf_failure] , in AJAX request nothing example `CSRF_FAILURE_AJAX` or
point docs for check `request.is_ajax()`
example :
{{{
from django.views.decorators.csrf import csrf_exempt, csrf_protect
@csrf_protect
def my_view(request):
## call ajax request to this with sending invalid csrftoken
@csrf_protect ## checked invalid csrftoken and call
settings.CSRF_FAILURE_VIEW render default template django and etc
def protected_path(request):
do_something()
if some_condition():
return protected_path(request)
else:
do_something_else()
}}}
settings.py
{{{
settings.CSRF_FAILURE_VIEW="django.views.csrf.csrf_failure()"
}}}
django.views.csrf.csrf_failure() always render html any check AJAX
request,
--
Ticket URL: <https://code.djangoproject.com/ticket/27763#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/065.1e498bfb9de40a000850c70796adedfd%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
