[Django] #27763: Docs: check invalid csrftoken on CSRF_FAILURE_VIEW
Django
------------------------------------------------+------------------------
Reporter: Ramin Farajpour Cami | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
Hi,
settings.CSRF_FAILURE_VIEW alwase render html,when from client side
sending request invalid `csrftoken:invalid` with `type:json`,
from https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-
CSRF_FAILURE_VIEW
{{{
def csrf_failure(request, reason=""):
...
# render html page
}}}
while request is `type:json` and response is `type:html`, i think we
should point this scenario to django docs,
example :
{{{
def csrf_failure(request, reason=""):
if request.is_ajax():
return HttpResponseForbidden('',
content_type='application/json',
charset="utf-8")
return render(...)
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27763>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Ramin Farajpour | Owner: nobody
Cami |
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham):
Every view might have special handling for AJAX requests. I'm not
immediately convinced that documenting this possibility each time adds
much value. For example, why not add a similar note to the
[https://docs.djangoproject.com/en/dev/ref/views/ error views]?
--
Ticket URL: <https://code.djangoproject.com/ticket/27763#comment:1>
Django
Reporter: Ramin Farajpour | Owner: nobody
Cami |
Type: | Status: new
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Ramin Farajpour Cami):
**Every view might have special handling for AJAX requests.** Yes,Or like
: [https://docs.djangoproject.com/en/1.10/topics/auth/default/#the-login-
required-decorator login_required] i know about it, with pass request
direct to `@login_required def anything():` and
`request.user.is_authenticate()` for AJAX,
but `CSRF_FAILURE_VIEW` is a custom error handling security, maybe pass
AJAX request to send for many action like : `def requests(req):` and etc
if csrftoken is invalid with this
[https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-
CSRF_FAILURE_VIEW docs] user define template for view error of missing
`csrftoken` for AJAX or `form` request, Understanding is difficult for
users beginner how to handle AJAX missing `csrftoken`!!!!,
**I'm not immediately convinced that documenting this possibility each
time adds much value** again you are right,but I've mentioned above
--
Ticket URL: <https://code.djangoproject.com/ticket/27763#comment:2>
Django
Reporter: Ramin Farajpour | Owner: nobody
Cami |
Type: | Status: new
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham):
Maybe you didn't find the docs on
[https://docs.djangoproject.com/en/stable/ref/csrf/#ajax how to use CSRF
and AJAX]?
--
Ticket URL: <https://code.djangoproject.com/ticket/27763#comment:3>
Django
Reporter: Ramin Farajpour | Owner: nobody
Cami |
Type: | Status: new
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Ramin Farajpour Cami):
Yes,i know
we have 2 way for get csrftoken value :
1- use variable {{ csrft_token }} on tag script
2- use [https://docs.djangoproject.com/en/1.10/ref/csrf/#ajax AJAX docs]
get csrftoken from cookie,
users added
`settings.CSRF_FAILURE_VIEW="django.views.csrf.csrf_failure()"` on
settings for your csrftoken missing message(status=403) django,
if is invalid `csrftoken` he/she will see with current docs render
template view, but for normal request,
django need docs a few point to handle AJAX why?
because:
https://github.com/django/django/blob/6a7495051304d75865add6ff96422018984e1663/django/views/csrf.py#L15
`CSRF_FAILURE_TEMPLATE` is not for example `CSRF_FAILURE_AJAX`, from fail
AJAX always render template,
csrf.py message is security error, maybe person set message for different
request exam:(normal request, and AJAX requests),here is normal request
[https://github.com/django/django/blob/6a7495051304d75865add6ff96422018984e1663/django/views/csrf.py#L103
csrf_failure] , in AJAX request nothing example `CSRF_FAILURE_AJAX` or
point docs for check `request.is_ajax()`
example :
{{{
from django.views.decorators.csrf import csrf_exempt, csrf_protect
@csrf_protect
def my_view(request):
## call ajax request to this with sending invalid csrftoken
@csrf_protect ## checked invalid csrftoken and call
settings.CSRF_FAILURE_VIEW render default template django and etc
def protected_path(request):
do_something()
if some_condition():
return protected_path(request)
else:
do_something_else()
}}}
settings.py
{{{
settings.CSRF_FAILURE_VIEW="django.views.csrf.csrf_failure()"
}}}
django.views.csrf.csrf_failure() always render html any check AJAX
request,
--
Ticket URL: <https://code.djangoproject.com/ticket/27763#comment:4>
Django
Reporter: Ramin Farajpour | Owner: nobody
Cami |
Type: | Status: new
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham):
I'm trying follow you, but I'm afraid I'm not succeeding because of a
language barrier. Do you have a colleague who you could communicate to in
your native language who might be able to better communicate in English?
--
Ticket URL: <https://code.djangoproject.com/ticket/27763#comment:5>
Django
Reporter: Ramin Farajpour | Owner: nobody
Cami |
Cleanup/optimization |
Component: Documentation | Version: master
Severity: Normal | Resolution: needsinfo
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* status: new => closed
* resolution: => needsinfo
--
Ticket URL: <https://code.djangoproject.com/ticket/27763#comment:6>