csrf_exempt decorator and class based views

[Christo Buschek]

Hello.

I came across a problem that I don't fully understand. I try to
implement a view where I want to turn csrf protection off. My view is
implemented as a class based view, eg:

class BaseHandler(object):
"""Base class to provide method lookup per HTTP method."""
def __call__(self, request, **kwargs):
self.request = request
try:
callback = getattr(self, "do_%s" % request.method)
except AttributeError:
allowed_methods = [m.lstrip("do_") for m in dir(self) if
m.startswith("do_")]
return HttpResponseNotAllowed(allowed_methods)
return callback(**kwargs)

class SpecificHandler(BaseHandler):
"""Implement the HTTP methods."""
def do_POST(self, **kwargs):
pass

If I want to use the @csrf_exempt on the class method 'do_POST', it
doesn't get recognised. It is only accepted if I wrap the whole class
inside the decorator, eg:

# This doesn't work
class SpecificHandler(BaseHandler):
@csrf_exempt
def do_POST(self, **kwargs):
pass

# This works
@csrf_exempt
class SpecificHandler(BaseHandler):
def do_POST(self, **kwargs):
pass

But I wonder if that is the right way to do because than all class
methods are excepted from the csrf protection.

1) Why is the decorator not wrapping the class method (more a python
question I guess)?
2) Is there any other way how I could turn off the csrf protection for
this single class method?

Any enlightenment is very much appreciated.

cheers
Christo

[Casey S. Greene]

Have you seen this yet:

http://docs.djangoproject.com/en/dev/topics/class-based-views/#decorating-class-based-views

I think it answers your question.

Hope this helps,
Casey

[Kishor Pawar]

Hey Casey,

I followed this doc, but still I am not getting this working.

Do I need to do anything else to get it work?

[Andreas Kuhne]

First of all, why are you not using the default views that django provides? In your case all you have to do is subclass the View class (django.views.generic.View) to get all the functionality that you require (i.e. you get a post and get method that will automatically be called).

Second of all, check: https://docs.djangoproject.com/en/1.8/topics/class-based-views/intro/#decorating-the-class. There you can see howto use a decorator on one method in the class only.

If you used the View class, your "SpecificHandler" should look something like this:

from django.views.decorators.csrf import csrf_exempt

from django.views.generic import View

from django.utils.decorators import method_decorator

class SpecificHandler(View):

    @method_decorator(csrf_exempt)

    def post(self, request, *args, **kwargs):

        pass

Then you shouldn't have any issues with posting. However, I really don't see WHY you would want to do that, because in a post the CSRF token is rather important for security.... 

Regards,

Andréas

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/fd2188e8-d311-4c32-b3a1-37800123fba9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.