turn off csrf
200 views
Skip to first unread message
hinnack
May 13, 2014, 9:49:21 AM5/13/14
to django...@googlegroups.com
Hi,
how can I turn off csrf completely - even in the admin interface?
My base problem is, that with IE11 (and only IE11) I can not save any form in the admin interface. I always get:
CSRF verification failed. Request aborted
I have no csrf middleware set. What else must be done?
(using django 1.6)
regards
Hinnack
Tom Evans
May 13, 2014, 10:48:57 AM5/13/14
to django...@googlegroups.com
On Tue, May 13, 2014 at 2:49 PM, hinnack <henrik....@miadi.net> wrote:
> Hi,
>
> how can I turn off csrf completely - even in the admin interface?
>
> My base problem is, that with IE11 (and only IE11) I can not save any form
> in the admin interface. I always get:
>
> CSRF verification failed. Request aborted
That message comes from django.views.csrf.csrf_failure. This view is
> Hi,
>
> how can I turn off csrf completely - even in the admin interface?
>
> My base problem is, that with IE11 (and only IE11) I can not save any form
> in the admin interface. I always get:
>
> CSRF verification failed. Request aborted
only called from the csrf middleware..
>
>
> I have no csrf middleware set. What else must be done?
>
removed it, go to a django shell, type these commands:
from django.conf import settings
settings.MIDDLEWARE_CLASSES
is CsrfViewMiddleware listed there? If it isn't, have you tried
turning it off and then on again?
Cheers
Tom
hinnack
May 13, 2014, 11:36:18 AM5/13/14
to django...@googlegroups.com
Thanks Tom,
but I definitely did that - here is the result:
('django.middleware.common.CommonMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'schiwago.middleware.header.ResponseInjectHeader', 'schiwago.middleware.auth.BasicAuthMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.transaction.TransactionMiddleware')
What do you mean by turn on/off again? Enable the CsrfViewMiddleware again? Why could that work? Will that manipulate the client or do any magic on the server (something in tables)?
regards
Hinnack
Tom Evans
May 13, 2014, 1:15:27 PM5/13/14
to django...@googlegroups.com
The message you report comes from the csrf failure view:
https://github.com/django/django/blob/stable/1.6.x/django/views/csrf.py#L34
The csrf failure view is only invoked from one place, the csrf middleware:
https://github.com/django/django/blob/stable/1.6.x/django/middleware/csrf.py#L94
> What do you mean by turn on/off again? Enable the CsrfViewMiddleware again?
first question they ask is "have you tried turning it off and then on
again".
I was referring to the server itself - have you restarted the server
since making the change. Making the change in the settings.py would
have it reflected in a new django shell, but not in an already running
webserver.
Cheers
Tom
hinnack
May 14, 2014, 8:39:27 AM5/14/14
to django...@googlegroups.com
:-)
I think, you can not deactivate csrf in the admin interface anymore…
It is used somewhere as a decorator as make_middleware_decorator is called for it…
Is this the expected behavior? Or is there a setting I overlooked?
regards,
Hinnack
hinnack
May 14, 2014, 11:28:28 AM5/14/14
to django...@googlegroups.com
OK doing:
setattr(request, '_dont_enforce_csrf_checks', True)
in a middleware does the trick.
the question remains: Is this expected? Or should the absence of the crsf middleware do set this anyway? or should there be a setting anyway?
regards,
Hinnack
Reply all
Reply to author
Forward
0 new messages