Opened 15 years ago
Closed 15 years ago
#13555 closed (wontfix)
Removing CSRF protection from subclassed django admin sites
Reported by: | Paul Haesler | Owned by: | nobody |
---|---|---|---|
Component: | contrib.admin | Version: | 1.2-beta |
Severity: | Keywords: | csrf | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
From Django 1.2, removing CSRF protection for a subclassed admin site is difficult and messy. (Some of my subclassed admin sites use no authentication and allow direct posting from external applications - CSRF protection is therefore inconvenient to say the least).
It would be nice if there was a clean simple way to completely turn CSRF off in sub-classed admin sites. E.g:
class MyAdminSite(AdminSite):
csrf_protection = False
Change History (2)
comment:1 by , 15 years ago
comment:2 by , 15 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Turning off CSRF protection in the admin should *not* be easy: it's a bad idea in 99% of the cases, and making bad things easy isn't a design goal.
Properly formatted eg: