[Django] #24389: CSRF error page requires DjangoTemplates backend
Django
---------------------------------+-----------------------
Reporter: uranusjr | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.8alpha1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+-----------------------
When a CSRF error is raised in debug mode, the technical page require
DjangoTemplates to be rendered. If you have your TEMPLATES setting
configured without a DjangoTemplates entry, you will instead get a
ImproperlyConfigured: No DjangoTemplates backend is configured. error.
This can be resolved if you add a DjangoTemplates entry to the TEMPLATES
setting, but since the many error pages (500, 404, etc.) work without
DjangoTemplates, this one probably should, too.
To reproduce:
1. Create a new project.
2. Change the TEMPLATES setting to ''not'' include a DjangoTemplates
entry, e.g.
{{{
TEMPLATES = [
{
'BACKEND': 'django.template.backends.jinja2.Jinja2',
'DIRS': [],
'APP_DIRS': True,
'OPTIONS': {
},
},
]
}}}
3. Create a view, and send a POST request to it in the browser, without
the CSRF token.
--
Ticket URL: <https://code.djangoproject.com/ticket/24389>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: uranusjr | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.8alpha1
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by uranusjr):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Old description:
> When a CSRF error is raised in debug mode, the technical page require
> DjangoTemplates to be rendered. If you have your TEMPLATES setting
> configured without a DjangoTemplates entry, you will instead get a
> ImproperlyConfigured: No DjangoTemplates backend is configured. error.
> This can be resolved if you add a DjangoTemplates entry to the TEMPLATES
> setting, but since the many error pages (500, 404, etc.) work without
> DjangoTemplates, this one probably should, too.
>
> To reproduce:
>
> 1. Create a new project.
>
> 2. Change the TEMPLATES setting to ''not'' include a DjangoTemplates
> entry, e.g.
>
> {{{
> TEMPLATES = [
> {
> 'BACKEND': 'django.template.backends.jinja2.Jinja2',
> 'DIRS': [],
> 'APP_DIRS': True,
> 'OPTIONS': {
> },
> },
> ]
> }}}
>
> 3. Create a view, and send a POST request to it in the browser, without
> the CSRF token.
New description:
When a CSRF error is raised in debug mode, the technical page require
DjangoTemplates to be rendered. If you have your TEMPLATES setting
configured without a DjangoTemplates entry, you will instead get an
''ImproperlyConfigured: No DjangoTemplates backend is configured.'' error.
This can be resolved if you add a DjangoTemplates entry to the TEMPLATES
setting, but since many error pages (500, 404, etc.) work without
DjangoTemplates, this one probably should, too.
To reproduce:
1. Create a new project.
2. Change the TEMPLATES setting to ''not'' include a DjangoTemplates
entry, e.g.
{{{
TEMPLATES = [
{
'BACKEND': 'django.template.backends.jinja2.Jinja2',
'DIRS': [],
'APP_DIRS': True,
'OPTIONS': {
},
},
]
}}}
3. Create a view, and send a POST request to it in the browser, without
the CSRF token.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/24389#comment:1>
Django
Reporter: uranusjr | Owner: nobody
Type: Bug | Status: new
Component: Template system | Version: 1.8alpha1
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by uranusjr):
I dug into this a bit, and the reason this is happening is that
django.views.csrf.csrf_failure is hard-wired to use
django.template.Template, while other error pages (in django.views.debug)
use Engine(debug=True).from_string instead. Changing
{{{
t = Template(CSRF_FAILURE_TEMPLATE)
}}}
to
{{{
t = Engine().from_string(CSRF_FAILURE_TEMPLATE)
}}}
resolves the problem. Should this be configured with debug=True as in
django.views.debug? Things seem to work both with and without that
parameter.
--
Ticket URL: <https://code.djangoproject.com/ticket/24389#comment:2>
Django
Reporter: uranusjr | Owner: aaugustin
Type: Bug | Status: assigned
Component: Template system | Version: 1.8alpha1
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by aaugustin):
* status: new => assigned
* owner: nobody => aaugustin
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted
Comment:
Indeed, I forgot to render the CSRF failure view with a bare-bones Engines
like I did for the debug views.
--
Ticket URL: <https://code.djangoproject.com/ticket/24389#comment:3>
Django
Reporter: uranusjr | Owner: aaugustin
Component: Template system | Version: 1.8alpha1
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Aymeric Augustin <aymeric.augustin@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"88a5f17d25a25dbd2ebcf905dcecc45ce78a1615"]:
{{{
#!CommitTicketReference repository=""
revision="88a5f17d25a25dbd2ebcf905dcecc45ce78a1615"
Fixed #24389 -- Isolated the CSRF view from the TEMPLATES setting.
Thanks uranusjr for the report and analysis.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/24389#comment:4>
Django
Reporter: uranusjr | Owner: aaugustin
Type: Bug | Status: closed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Aymeric Augustin <aymeric.augustin@…>):
In [changeset:"c564033408e02306ab7b98c81696faedd733156a"]:
{{{
#!CommitTicketReference repository=""
revision="c564033408e02306ab7b98c81696faedd733156a"
[1.8.x] Fixed #24389 -- Isolated the CSRF view from the TEMPLATES setting.
Thanks uranusjr for the report and analysis.
Backport of 88a5f17 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/24389#comment:5>
Django
Reporter: uranusjr | Owner: aaugustin
Type: Bug | Status: closed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Aymeric Augustin <aymeric.augustin@…>):
In [changeset:"556a74879f5c2d382927b5b68451c76d344e29e4"]:
{{{
#!CommitTicketReference repository=""
revision="556a74879f5c2d382927b5b68451c76d344e29e4"
Fixed a few uses of Template that relied on a default engine.
Refs #24389.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/24389#comment:6>
Django
Reporter: uranusjr | Owner: aaugustin
Type: Bug | Status: closed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Aymeric Augustin <aymeric.augustin@…>):
In [changeset:"19c2fe04a83fb03408a239e6553ffcbefde60346"]:
{{{
#!CommitTicketReference repository=""
revision="19c2fe04a83fb03408a239e6553ffcbefde60346"
[1.8.x] Fixed a few uses of Template that relied on a default engine.
Refs #24389.
Backport of 556a748 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/24389#comment:7>