#31360: Is `request.csrf_processing_done` part of the public CSRF protection
API?
-------------------------------------+-------------------------------------
Reporter: Jaap Roes | Owner: nobody
Type: | Status: closed
Cleanup/optimization |
Component: CSRF | Version: 3.0
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jaap Roes):
Hi Carlton,
As I was typing that last sentence I considered just posting it on Stack
Overflow instead. But the fist bit seemed appropriate as a Django ticket,
sorry for the noise.
As a note; the `requires_csrf_token` decorator only overrides `_reject` so
the entire CSRF machinery is kept intact. The only difference is that
`_reject` doesn't result in a 400 response. This makes it "safe" for me to
make the assumption about `csrf_processing_done`.
The issue now being that this relies on the implementation
`requires_csrf_token` and `CsrfViewMiddleware` not changing too much
between Django releases. Let's see what SO can come up with as a "safer"
alternative ;)
--
Ticket URL: <https://code.djangoproject.com/ticket/31360#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/063.1dee691072d07c44efdf4c9e799cc1d9%40djangoproject.com.
