#34830: csrf_failure view missing context processors
-----------------------------+------------------------------------
Reporter: Alex Henman | Owner: nobody
Type: Bug | Status: new
Component: CSRF | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+------------------------------------
Comment (by Alex Henman):
Replying to [comment:1 Natalia Bidart]:
> Accepting since it's easily reproducible and the proposed fix makes
sense. As far as I see, the change should not be backwards compatible.
>
> Do note that the request should be pass in the context and not as an
extra param:
>
> {{{#!diff
> --- a/django/views/csrf.py
> +++ b/django/views/csrf.py
> @@ -64,6 +64,7 @@ def csrf_failure(request, reason="",
template_name=CSRF_FAILURE_TEMPLATE_NAME):
> "DEBUG": settings.DEBUG,
> "docs_version": get_docs_version(),
> "more": _("More information is available with DEBUG=True."),
> + "request": request,
> }
> try:
> t = loader.get_template(template_name)
> }}}
Sorry I had a slightly different understanding of the issue here but I'm
not super familiar with the internals of Django's template rendering so
tell me if I'm wrong.
The render method takes an extra request argument as well as the context:
{{{#!python
def render(self, context=None, request=None):
context = make_context(
context, request, autoescape=self.backend.engine.autoescape
)
try:
return self.template.render(context)
except TemplateDoesNotExist as exc:
reraise(exc, self.backend)
}}}
And that `make_context` does:
{{{#!python
def make_context(context, request=None, **kwargs):
"""
Create a suitable Context from a plain dict and optionally an
HttpRequest.
"""
if context is not None and not isinstance(context, dict):
raise TypeError(
"context must be a dict rather than %s." %
context.__class__.__name__
)
if request is None:
context = Context(context, **kwargs)
else:
# The following pattern is required to ensure values from
# context override those from template context processors.
original_context = context
context = RequestContext(request, **kwargs)
if original_context:
context.push(original_context)
return context
}}}
And it is inside `RequestContext` rather than `Context` that the context
processor magic happens:
{{{#!python
def bind_template(self, template):
if self.template is not None:
raise RuntimeError("Context is already bound to a template")
self.template = template
# Set context processors according to the template engine's
settings.
processors = template.engine.template_context_processors +
self._processors
updates = {}
for processor in processors:
context = processor(self.request)
}}}
So I thought the fix was to explicitly pass the `request` rather than add
it to the context dict
--
Ticket URL: <https://code.djangoproject.com/ticket/34830#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018acbb298ee-3b52b59e-6099-4ecd-9ba0-7da11a8a5c7f-000000%40eu-central-1.amazonses.com.
