#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
Reporter: bthomas | Owner: nobody
Status: new | Milestone:
Component: Uncategorized | Version: SVN
Resolution: | Keywords: csrf
Stage: Design decision needed | Has_patch: 1
Needs_docs: 1 | Needs_tests: 0
Needs_better_patch: 1 |
---------------------------------------------+------------------------------
Changes (by Glenn):
* cc: [email protected] (added)
Comment:
I'm not a big fan of the acronym (it's rather overused and buzzwordy), but
it seems to apply strongly here: inserting the CSRF template tag manually
in every form seems like a massive violation of DRY. I can understand the
distaste towards postprocessing, but doing it manually like this seems
much worse. I'd need a much stronger argument to do it manually than the
unexplained recommendation in the documentation.
Does this work cleanly if both the csrf_token tag and
CsrfResponseMiddleware are in use? That's an important case, where the
user uses the middleware postprocessor, but imports apps that use explicit
tagging. Rendering the form field twice probably won't break anything,
but it'd be ugly.
I don't think the _make_token salt needs to be configurable; just use a
literal string to make the hash distinct from other uses of SECRET_KEY.
I'd suggest prefixing the string to the secret rather than appending it.
--
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:22>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
