On Wed, Aug 18, 2010 at 3:22 PM, PieterB <pieter.ba...@gmail.com> wrote: > Can it be disabled globally?
If you have a Django 1.1 project that you have upgraded to 1.2, then CSRF protection will *not* be enabled by default. In order to enable it, you need to follow the migration instructions in the 1.2 release notes. The exception to this rule is the admin site; the admin site has CSRF protection turned on, and no, it can't be turned off. We have intentionally added CSRF protection as a non-optional part of the admin as a safety mechanism. Django's admin app is a common and highly visible component of Django projects, and as a result, it is a likely target for any malicious activity. Forcing CSRF protection on the admin is our way of ensuring that Django's admin site is not the vector used to attack a Django site. Yours, Russ Magee %-) > I tried some middleware code I found on the web, but I get > ImproperlyConfigured: CsrfMiddleware isn't a middleware module > (but this is probably me doing something wrong?) > > http://johnmc.co/llum/disable-csrf-protection-for-django-1-2/ > http://stackoverflow.com/questions/1650941/django-csrf-framework-cannot-be-disabled-and-is-breaking-my-site > > The last thing I want to do is to remove it from django itself... > I'm pretty sure it's a useful solution for web-facing projects, but > it's giving me al lot of headaches for this one :-( > > > On 18 aug, 08:32, James Saxon <ja...@saxon.com> wrote: >> I've run into a similar situation where I'm getting CSRF errors >> inconsistently. I made sure I had the token and that I was using >> RequestContext. I haven't found out exactly what's wrong yet... >> >> I have not run into the situation in the admin but I have not tried it much >> but I haven't changed any admin templates. >> >> It does seem to be something happening on the testing server but not on my >> mac in dev.... >> >> Hmmm.. >> >> >> >> On Tue, Aug 17, 2010 at 11:20 PM, PieterB <pieter.ba...@gmail.com> wrote: >> > No I did not. >> > I've only a modified (created) admin.py for each app in the project. >> >> > Maybe this is also important: we use a proxy, maybe it's something >> > with the cache? >> > What can cause csrf verification to go crazy? >> >> > On 17 aug, 15:58, Alex Robbins <alexander.j.robb...@gmail.com> wrote: >> > > Have you done any admin template customization? If you copied a >> > > template from django before 1.2, then upgraded, your admin template >> > > might be missing the csrf_token template tag. >> >> > > Alex >> >> > > On Aug 17, 7:55 am, PieterB <pieter.ba...@gmail.com> wrote: >> >> > > > For an internal application, I constantly receiveCSRFverification >> > > > failed" errors... most of the times when using the admin interface >> >> > > > It doesn't happen with the local dev version (dev http server) but >> > > > happens with the deployment version (custom port, cherokee web server) >> >> > > > I can only use the admin interface (very) temporarily with a Clear >> > > > Recent History command >> >> > > > This is very annoying :-S >> >> > > > I've included >> > > > 'django.middleware.csrf.CsrfViewMiddleware', >> > > > 'django.middleware.csrf.CsrfResponseMiddleware' >> >> > > > What am I doing wrong? Do I need also some sort of token for Django's >> > > > admin interface? >> >> > > > -- PieterB >> >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "Django users" group. >> > To post to this group, send email to django-us...@googlegroups.com. >> > To unsubscribe from this group, send email to >> > django-users+unsubscr...@googlegroups.com<django-users%2bunsubscr...@googlegroups.com> >> > . >> > For more options, visit this group at >> >http://groups.google.com/group/django-users?hl=en. >> >> -- >> J A M E S B E N N E T T S A X O N ja...@saxon.com >> Biz: 310.823.0545 - Cell: 310.722.2785 > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-us...@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
