Issue 15 in django-blocks: Static pages and CSRF

4 views
Skip to first unread message

django...@googlecode.com

unread,
Jan 17, 2011, 4:53:14 PM1/17/11
to django...@googlegroups.com
Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 15 by alexis.m...@gmail.com: Static pages and CSRF
http://code.google.com/p/django-blocks/issues/detail?id=15

What steps will reproduce the problem?
1. In the demo site add 'django.middleware.csrf.CsrfViewMiddleware' in
the list of middlewares MIDDLEWARES_CLASSES
2. In the template demo/templates/site/base.html add the {% csrf_token %}
tag to both form entries for changing the language :

<div id="language">
<form action="/i18n/setlang/" method="post">
{% csrf_token %}
<input type="hidden" name="language" value="pt" />
<input type="image" src="/media/img/flags/pt.png" width="18"
height="12" />
</form>
<form action="/i18n/setlang/" method="post">
{% csrf_token %}
<input type="hidden" name="language" value="en" />
<input type="image" src="/media/img/flags/en.png" width="18"
height="12" />
</form>
</div>

3. launch runserver and click on 'about us' which is a static page

What is the expected output? What do you see instead?
When looking at the source code of the rendered page you can see that the
csrf input tag has not been added anf clicking on a flag leads to an error
page.

What version of the python, django and blocks are you using? On what
operating system?

im using python 2.6, django 1.2.1 the 2 days ago svn version of django
blocks on a marverick box

django...@googlecode.com

unread,
Jan 17, 2011, 5:20:50 PM1/17/11
to django...@googlegroups.com
Updates:
Status: Done

Comment #1 on issue 15 by kimus.li...@gmail.com: Static pages and CSRF
http://code.google.com/p/django-blocks/issues/detail?id=15

the 'django.middleware.csrf.CsrfViewMiddleware' should be the first in the
MIDDLEWARES_CLASSES.

django...@googlecode.com

unread,
Jan 18, 2011, 2:43:59 AM1/18/11
to django...@googlegroups.com

Comment #2 on issue 15 by alexis.m...@gmail.com: Static pages and CSRF
http://code.google.com/p/django-blocks/issues/detail?id=15

Hi,

Putting the middlaware in first position doesn't change the result for
me. The csrf token is replaced as expected in the home page, but not in
static pages like "about us". Only static pages show this problem from
what I have observed.

Le lundi 17 janvier 2011 � 22:20 +0000, django...@googlecode.com a
�crit :

django...@googlecode.com

unread,
Jan 18, 2011, 6:00:22 AM1/18/11
to django...@googlegroups.com
Updates:
Status: Accepted

Comment #3 on issue 15 by kimus.li...@gmail.com: Static pages and CSRF
http://code.google.com/p/django-blocks/issues/detail?id=15

I'm sorry, I only tested in the home page. Didn't notice that wasn't a
Static Page.

django...@googlecode.com

unread,
Oct 6, 2011, 12:11:11 PM10/6/11
to django...@googlegroups.com

Comment #4 on issue 15 by aatana...@gmail.com: Static pages and CSRF
http://code.google.com/p/django-blocks/issues/detail?id=15

from django.views.decorators.csrf import csrf_protect
@csrf_protect
def staticpage(request, url):

in apps/core/views.py fixed this for me.

Reply all
Reply to author
Forward
0 new messages