Re: [Django] #14182: CsrfViewMiddleware makes modification of the upload handlers impossible

[Django]

#14182: CsrfViewMiddleware makes modification of the upload handlers impossible
-------------------------------------------+--------------------------------
          Reporter:  dc                    |         Owner:  lukeplant          
 
            Status:  assigned              |     Milestone:                     
 
         Component:  File uploads/storage  |       Version:  1.2                
 
        Resolution:                        |      Keywords:  csrf 
upload_handlers
             Stage:  Unreviewed            |     Has_patch:  0                  
 
        Needs_docs:  0                     |   Needs_tests:  0                  
 
Needs_better_patch:  0                     |  
-------------------------------------------+--------------------------------
Changes (by lukeplant):

  * owner:  nobody => lukeplant
  * needs_better_patch:  => 0
  * status:  new => assigned
  * needs_tests:  => 0
  * needs_docs:  => 0

Comment:

 Hmmm, tricky, I can't think of a nice way to get this to work
 automatically. If you use `csrf_exempt` can you work around this?
 Something like this:


 {{{
 #!python
 from django.views.decorators.csrf import csrf_exempt, csrf_protect  ##
 Added

 @csrf_exempt                         ## Added
 def upload_file(request):
     request.upload_handlers.insert(0, DummyUploadHandler())
     return upload_file_real(request) ## Added

 @csrf_protect                        ## Added
 def upload_file_real(request)        ## Added

     if request.method == 'POST':
         form = UploadFileForm(request.POST, request.FILES)
         if form.is_valid():
             template = Template('''
                 <!DOCTYPE html>
                 <title></title>
                 <h1>Done</h1>
             ''')
             context = RequestContext(request)
             return HttpResponse(template.render(context))
     else:
         form = UploadFileForm()

     template = Template('''
         <!DOCTYPE html>
         <title></title>
         <form action="." enctype="multipart/form-data" method="post">
             {% csrf_token %}
             {{ form }}
             <input type="submit">
         </form>
     ''')
     context = RequestContext(request, {'form': form})
     return HttpResponse(template.render(context))
 }}}

 Does that work? If it does, would you mind coming up with a patch for the
 documentation?

-- 
Ticket URL: <http://code.djangoproject.com/ticket/14182#comment:1>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.