On Wed, Sep 24, 2008 at 9:00 AM, Simon Willison <[EMAIL PROTECTED]> wrote: > > On Sep 24, 2:18 pm, zellyn <[EMAIL PROTECTED]> wrote: >> Would it make sense to have the middleware/view decorator set a >> property on the request, and pass the request to all forms, and have >> *all* forms CSRF-protect themselves when the property is set? That >> would make it easy to add protection to externally-developed apps. > > That's an interesting idea. I'm a bit cautious of requiring ALL forms > to take a request object though - Django's current form library is > decoupled from Django's request object, which is actually a really > useful property. I've used a "form" class to import CSV data in to > Django ORM models in the past for example, using the form logic to > handle the necessary type conversions. > > Keeping django.forms decoupled from HttpRequest also ensurse it can be > used by other Python web frameworks that don't have the same request/ > response model. > > I'm fine with SafeForm depending on HttpRequest, but I'd rather not > introduce that dependency to BaseForm and Form.
My first reaction is that inheritance is not appropriate for this. I would add something to a Form Meta nested class like 'safe_form = False' with True becoming the default. True being the default has potential to break older apps, but a setting could change the default, and security is probably important enough to add the small inconvenience. Forms would then need to be rendered with the hidden __csfr_token input where the value is provided by middleware. Then you need some setting that says use a session or separate signed cookie to verify the token from the form submit. The default behaviour could be to use session when available and fall back on cookie otherwise (which can be overriden with a setting). A form init could become something like MyForm(request.POST, safe_token=csfr.get_token(request)) -Dave --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
