Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

In CSRF docs, moved 'Exceptions' section to 'Edge cases', and cleaned…

… up some associated markup

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16188 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit b5da093fa92040df583048850c910ed7b42f536b 1 parent eadcbcb
@spookylukey spookylukey authored
Showing with 23 additions and 15 deletions.
  1. +23 −15 docs/ref/contrib/csrf.txt
View
38 docs/ref/contrib/csrf.txt
@@ -146,18 +146,6 @@ Use of the decorator is **not recommended** by itself, since if you forget to
use it, you will have a security hole. The 'belt and braces' strategy of using
both is fine, and will incur minimal overhead.
-Exceptions
-----------
-
-To manually exclude a view function from being handled by either of the two CSRF
-middleware, you can use the ``csrf_exempt`` decorator, found in the
-``django.views.decorators.csrf`` module. For example::
-
- from django.views.decorators.csrf import csrf_exempt
-
- @csrf_exempt
- def my_view(request):
- return HttpResponse('Hello world')
Subdomains
----------
@@ -297,6 +285,17 @@ Utilities
.. module:: django.views.decorators.csrf
+.. function:: csrf_exempt(view)
+
+ This decorator marks a view as being exempt from the protection ensured by
+ the middleware. Example::
+
+ from django.views.decorators.csrf import csrf_exempt
+
+ @csrf_exempt
+ def my_view(request):
+ return HttpResponse('Hello world')
+
.. function:: requires_csrf_token(view)
Normally the :ttag:`csrf_token` template tag will not work if
@@ -319,14 +318,22 @@ Utilities
Scenarios
---------
+CSRF protection should be disabled for just a few views
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Most views requires CSRF protection, but a few do not.
+
+Solution: rather than disabling the middleware and applying ``csrf_protect`` to
+all the views that need it, enable the middleware and use
+:func:`~django.views.decorators.csrf.csrf_exempt`.
+
CsrfViewMiddleware.process_view not used
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are cases when may not have run before your view is run - 404 and 500
handlers, for example - but you still need the CSRF token in a form.
-Solution: use ``requires_csrf_token``
-
+Solution: use :func:`~django.views.decorators.csrf.requires_csrf_token`
Unprotected view needs the CSRF token
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -334,7 +341,8 @@ Unprotected view needs the CSRF token
There may be some views that are unprotected and have been exempted by
``csrf_exempt``, but still need to include the CSRF token.
-Solution: use ``csrf_exempt`` followed by ``requires_csrf_token``.
+Solution: use :func:`~django.views.decorators.csrf.csrf_exempt` followed by
+:func:`~django.views.decorators.csrf.requires_csrf_token`.
Please sign in to comment.
Something went wrong with that request. Please try again.