Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Enabling CSRF Middleware breaks admin site #2

Closed
digi604 opened this Issue Apr 17, 2009 · 6 comments

Comments

Projects
None yet
4 participants
Member

digi604 commented Apr 17, 2009

Enabling the CSRF Middleware breaks the following on the admin site:
- Published/In Navigation Checkboxes
- Cut/Paste (moving pages)
- Drag and drop (moving pages)

Because these post to the server, they need to include a token from the CSRF Middleware (if it is enabled). If they do not, the result is a 403 Forbidden.

Member

digi604 commented Apr 23, 2009

this will be fixed when django 1.1 lands

from http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#upgrading-notes

"Note that contrib apps, such as the admin, have been updated to use the csrf_protect decorator, so that they are secured even if you do not add the CsrfViewMiddleware to your settings. However, if you have supplied customised templates to any of the view functions of contrib apps (whether explicitly via a keyword argument, or by overriding built-in templates), you MUST update them to include the csrf_token template tag as described above, or they will stop working. (If you cannot update these templates for some reason, you will be forced to use CsrfResponseMiddleware for these views to continue working)."

Member

digi604 commented Nov 13, 2009

this is for django 1.2?

yes, this is for 1.2, the current trunk version.

python -c "import django; print django.VERSION"
(1, 2, 0, 'alpha', 0)

Contributor

m000 commented Nov 19, 2009

Note that CSRF middleware has been enabled by default from trunk revision 11660 onwards. (At this moment the latest revision is 11752.)

I had problems with CSRF middleware when trying to edit a django-cms page. I got an error which reads:
'PageAdmin' object has no attribute 'COOKIES'

I checked and there are no problems with revision 11659 of django. So, until this is fixed in django-cms people can use "svn update -r 11659" to revert their django source tree to the latest working revision.

The fix for PageAdmin is to use the new django.utils.decorators.method_decorator when setting up reversion's create_on_success decorator. See:

http://code.djangoproject.com/ticket/12804

http://docs.djangoproject.com/en/dev/releases/1.2/#user-passes-test-login-required-and-permission-required

digi604 added a commit that referenced this issue Oct 3, 2012

FinalAngel added a commit that referenced this issue Nov 7, 2012

digi604 pushed a commit that referenced this issue Feb 27, 2014

Merge pull request #2 from daegun/removeSpaceless
removing the spaceless tags as it mucks with html output

koirikivi pushed a commit to koirikivi/django-cms that referenced this issue Feb 28, 2014

Merge pull request #2 from koirikivi/develop
Don't restrict user model name and fix travis python3 build

mkoistinen pushed a commit that referenced this issue Feb 25, 2015

Merge pull request #2 from divio/master
Master Update from original

czpython added a commit that referenced this issue Dec 30, 2015

czpython added a commit that referenced this issue Apr 1, 2016

This issue was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment