mirror of
				https://github.com/django/django.git
				synced 2025-10-24 22:26:08 +00:00 
			
		
		
		
	Fixed #15518 - documented requires_csrf_token
Thanks to vzima for a report that raised the issue. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16187 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
		| @@ -284,6 +284,60 @@ to set cookies).  Note that even without CSRF, there are other vulnerabilities, | ||||
| such as session fixation, that make giving subdomains to untrusted parties a bad | ||||
| idea, and these vulnerabilities cannot easily be fixed with current browsers. | ||||
|  | ||||
| Edge cases | ||||
| ========== | ||||
|  | ||||
| Certain views can have unusual requirements that mean they don't fit the normal | ||||
| pattern envisaged here. A number of utilities can be useful in these | ||||
| situations. The scenarios they might be needed in are described in the following | ||||
| section. | ||||
|  | ||||
| Utilities | ||||
| --------- | ||||
|  | ||||
| .. module:: django.views.decorators.csrf | ||||
|  | ||||
| .. function:: requires_csrf_token(view) | ||||
|  | ||||
|     Normally the :ttag:`csrf_token` template tag will not work if | ||||
|     ``CsrfViewMiddleware.process_view`` or an equivalent like ``csrf_protect`` | ||||
|     has not run. The view decorator ``requires_csrf_token`` can be used to | ||||
|     ensure the template tag does work. This decorator works similarly to | ||||
|     ``csrf_protect``, but never rejects an incoming request. | ||||
|  | ||||
|     Example:: | ||||
|  | ||||
|         from django.views.decorators.csrf import requires_csrf_token | ||||
|         from django.shortcuts import render | ||||
|  | ||||
|         @requires_csrf_token | ||||
|         def my_view(request): | ||||
|             c = {} | ||||
|             # ... | ||||
|             return render(request, "a_template.html", c) | ||||
|  | ||||
| Scenarios | ||||
| --------- | ||||
|  | ||||
| CsrfViewMiddleware.process_view not used | ||||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||||
|  | ||||
| There are cases when may not have run before your view is run - 404 and 500 | ||||
| handlers, for example - but you still need the CSRF token in a form. | ||||
|  | ||||
| Solution: use ``requires_csrf_token`` | ||||
|  | ||||
|  | ||||
| Unprotected view needs the CSRF token | ||||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||||
|  | ||||
| There may be some views that are unprotected and have been exempted by | ||||
| ``csrf_exempt``, but still need to include the CSRF token. | ||||
|  | ||||
| Solution: use ``csrf_exempt`` followed by ``requires_csrf_token``. | ||||
|  | ||||
|  | ||||
|  | ||||
| Contrib and reusable apps | ||||
| ========================= | ||||
|  | ||||
|   | ||||
		Reference in New Issue
	
	Block a user