#16384: Documentation should warn against accessing request.POST in middleware ---------------------------------------+------------------------------- Reporter: tomchristie | Owner: tomchristie Type: Bug | Status: new Milestone: | Component: Documentation Version: 1.3 | Severity: Normal Resolution: | Keywords: Triage Stage: Accepted | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | ---------------------------------------+------------------------------- Changes (by aaugustin):
* needs_docs: => 0 * needs_better_patch: => 0 * needs_tests: => 0 * easy: 1 => 0 * stage: Unreviewed => Accepted Comment: Django encourages using `CsrfViewMiddleware`, which does load `request.POST`, making this advice a bit pointless (and even counter- productive in some cases). I'm feeling uneasy about the (implied) suggestion to use `@csrf_exempt`, because of the security implications. I agree that we should mention this pitfall in the documentation, but I can't come up with a really good way to explain it. Maybe we should just to state the facts, i.e. say that middleware shouldn't access `request.POST`, but that Django's implementation of CSRF protection and custom upload handlers are incompatible. -- Ticket URL: <https://code.djangoproject.com/ticket/16384#comment:1> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.