On Sep 23, 10:56 am, oggie rob <[EMAIL PROTECTED]> wrote: > I'm sorry, I used the wrong term here. I didn't mean that CSRF > protection isn't worthwhile, just that going the route of an extended > form might not be the best way to do it. > As for suggestions, I'm not sure I have one exactly, but I'm thinking > of perhaps overriding is_valid() and maybe using the RequestContext > object.. not sure yet.
The problem is that any token, no matter where we generate it, isn't going to be submitted back with the POST request unless it's a field in the form that was submitted. So the only options I see are mangling the HTML to add these fields (CsrfMiddleware), or add them to the form objects (SafeForm). --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---