[Django] #35062: Update csrf.py to check request.POST if request.method is not GET

14 views
Skip to first unread message

Django

unread,
Dec 24, 2023, 11:52:33 PM12/24/23
to django-...@googlegroups.com
#35062: Update csrf.py to check request.POST if request.method is not GET
---------------------------------------+------------------------
Reporter: petermjones | Owner: nobody
Type: Bug | Status: new
Component: CSRF | Version: 4.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
---------------------------------------+------------------------
When trying to determine request_csrf_token within csrf.py, request.method
== "POST" fails (CSRF token missing) if you use custom middle ware that
handles a form field _method to convert request.method to PUT/DELETE...
etc. I use this middle ware since HTML forms can only use GET and POST,
and I want my page to work even when JavaScript is disabled.

Change django/middleware/csrf.py (line 365)
if request.method == "POST":

To
if request.method != "GET":

--
Ticket URL: <https://code.djangoproject.com/ticket/35062>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Dec 25, 2023, 1:54:14 AM12/25/23
to django-...@googlegroups.com
#35062: Update csrf.py to check request.POST if request.method is not GET
-----------------------------+--------------------------------------
Reporter: Peter Jones | Owner: nobody
Type: Bug | Status: closed
Component: CSRF | Version: 4.2
Severity: Normal | Resolution: invalid

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-----------------------------+--------------------------------------
Changes (by Mariusz Felisiak):

* status: new => closed
* resolution: => invalid


Comment:

Thanks for this report, however if you're using a custom middleware to
convert POST to PUT/PATCH/DELETE then you can also use your own
`CsrfViewMiddleware` subclass to handle them. It doesn't need to be handle
by Django itself. We don't usually include workarounds for niche edge
cases.

--
Ticket URL: <https://code.djangoproject.com/ticket/35062#comment:1>

Django

unread,
Dec 25, 2023, 5:54:13 AM12/25/23
to django-...@googlegroups.com
#35062: Update csrf.py to check request.POST if request.method is not GET
-----------------------------+--------------------------------------
Reporter: Peter Jones | Owner: nobody
Type: Bug | Status: closed
Component: CSRF | Version: 4.2
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-----------------------------+--------------------------------------
Changes (by I-MirzaBaig):

* cc: I-MirzaBaig (added)


Comment:

Has it been solved?

--
Ticket URL: <https://code.djangoproject.com/ticket/35062#comment:2>

Django

unread,
Dec 25, 2023, 6:52:47 AM12/25/23
to django-...@googlegroups.com
#35062: Update csrf.py to check request.POST if request.method is not GET
-----------------------------+--------------------------------------
Reporter: Peter Jones | Owner: nobody
Type: Bug | Status: closed
Component: CSRF | Version: 4.2
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-----------------------------+--------------------------------------

Comment (by Peter Jones):

I've enhanced my middleware to address both the Request method limitation
and the CSRF header issue for HTML forms. Despite these improvements, I
believe Django, as 'the web framework for perfectionists,' should
inherently offer better support for scenarios where JavaScript is disabled
in the browser. Prioritizing accessibility and functionality in a no-
JavaScript environment aligns with the high standards Django sets for web
development.

https://www.reddit.com/r/webdev/comments/mfnxnj/why_your_website_should_work_without_javascript/

--
Ticket URL: <https://code.djangoproject.com/ticket/35062#comment:3>

Django

unread,
Jan 9, 2024, 10:04:06 AM1/9/24
to django-...@googlegroups.com
#35062: Update csrf.py to check request.POST if request.method is not GET
-----------------------------+--------------------------------------
Reporter: Peter Jones | Owner: nobody
Type: Bug | Status: closed
Component: CSRF | Version: 4.2
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-----------------------------+--------------------------------------

Comment (by Natalia Bidart):

Hello Peter!

One one hand, if you disagree with the resolution, you can alternatively
propose and discuss the idea/request with the community and gain
consensus. To do that, you could start a new conversation on the
[https://forum.djangoproject.com/c/internals/5 Django Forum], where you'll
reach a wider audience and potentially get extra feedback.

On the other hand, it would be important to explain in detail how the
change you suggest affects working with/without Javascript enabled. I have
multiple sites where javascript is not required at all and they do not
need this change.

--
Ticket URL: <https://code.djangoproject.com/ticket/35062#comment:4>

Reply all
Reply to author
Forward
0 new messages