#16384: Documentation should warn against accessing request.POST in middleware
-------------------------+-------------------------------
Reporter: tomchristie | Owner: tomchristie
Type: Bug | Status: new
Milestone: | Component: Documentation
Version: 1.3 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Easy pickings: 1
UI/UX: 0 |
-------------------------+-------------------------------
This page https://docs.djangoproject.com/en/dev/topics/http/middleware/
ought to include a note warning against accessing request.POST in
middleware.
As per Jacob's comment in #613, middleware that hits `request.POST` should
(usually) be considered a bug. It means that the view will be unable to
set any custom upload handlers, perform custom parsing of the request
body, or enforce permission checks prior to file uploads being accepted.
I'll provide a patch for this when I get a moment. I'd expect the text to
be something like:
"Accessing `request.POST` or `request.REQUEST` inside middleware from
`process_request` or `process_view` is bad practice, and should be
avoided. (*)
Doing so will prevent any view running after the middleware from being
able to modify the upload handlers for the request (link), or being able
to access the request content using `request.read()` or
`request.raw_post_data`.
(*) The `CSRFMiddleware` can be considered an exception, as it can be
disabled by using the `@csrf_exempt` decorator."
Any suggestions for tweaks to the text or opinions on if/where this should
be added on the page?...
--
Ticket URL: <https://code.djangoproject.com/ticket/16384>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
