Opened 15 years ago

Closed 15 years ago

Last modified 13 years ago

#12933 closed (fixed)

self.admin_site.admin_view() disables @csrf_view_exempt, should have csrf_protected=True arg

Reported by: philomat Owned by: nobody
Component: contrib.admin Version: 1.2-beta
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If a use the csrf_view_exempt decorator on an admin view and expose that view in the get_urls() method using the admin_view decorator, the view will always be decorated with csrf_protect – making the exempt useless.

I think admin_view should either check whether the view is alreay exempted, or have a csrf_protected=True arg similar to the cacheable arg.

Attachments (1)

fix_admin_view_csrf_exempt.diff (557 bytes ) - added by philomat 15 years ago.
This patch should fix the problem.

Download all attachments as: .zip

Change History (6)

comment:1 by Russell Keith-Magee, 15 years ago

milestone: 1.2
Triage Stage: UnreviewedAccepted

by philomat, 15 years ago

This patch should fix the problem.

comment:2 by philomat, 15 years ago

Has patch: set

comment:3 by Russell Keith-Magee, 15 years ago

Component: Uncategorizeddjango.contrib.admin

comment:4 by Luke Plant, 15 years ago

Resolution: fixed
Status: newclosed

(In [12619]) Fixed #12933 - AdminSite.admin_view disables @csrf_view_exempt

Thanks to philomat for report and patch.

comment:5 by Jacob, 13 years ago

milestone: 1.2

Milestone 1.2 deleted

Note: See TracTickets for help on using tickets.
Back to Top