Django CSRF framework cannot be disabled and is breaking the site

csrfdjango

The django csrf middleware can't be disabled. I've commented it out from my Middleware of my project but my logins are failing due to missing CSRF issues. I'm working from the Django trunk. How can CSRF cause issues if it is not enabled in middleware?

I have to disable it because there are lots of POST requests on my site that CSRF just breaks. Any feedback on how I can completely disable CSRF in a django trunk project?

The "new' CSRF framework from Django's trunk is also breaking an external site that is coming in and doing a POST on a URL I'm giving them (this is part of a restful API.) I can't disable the CSRF framework as I said earlier, how can I fix this?

Best Answer

Yes, Django csrf framework can be disabled.

To manually exclude a view function from being handled by any CSRF middleware, you can use the csrf_exempt decorator, found in the django.views.decorators.csrf module. For example: (see doc)

from django.views.decorators.csrf import csrf_exempt                                          
@csrf_exempt                                                                                  
def my_view:                                                                            
    return Httpresponse("hello world")

..and then remove {% csrf_token %} inside the forms from your template,or leave other things unchanged if you have not included it in your forms.

Related Solutions

Django CSRF Framework having many failures

I really struggled to get it right, but eventually did. Here were my main issues (Django 1.2 beta):

Make sure your middleware stuff is right, according to the version of Django that you are using. This is well covered in Django's literature online.
Make sure that you have the {% csrf_token %} in each form,just following the opening tag for the form
This was my main problem, make sure that all your forms have an go-to page, i.e. don't do action="" in your form.
Make sure that your settings emails are all the right ones. I had to do something like this:

EMAIL_HOST='mail.my-domain.com' EMAIL_HOST_USER='my user name on the server' EMAIL_HOST_PASSWORD='passwd' EMAIL_PORT= '26' # often seems to be 25 or 26 on many of the forum posts I read DEFAULT_FROM_EMAIL='noreply@domain.com' # on hosted domains, make sure it is set up and sending SERVER_EMAIL = 'noreply@domain.com' # Same email as above
1. Add the request_context to the end of your render_to_response
return render_to_response('contact.htm',{'favicon':r'____.ico', 'more_stuff':"......" 'more_stuff':"......" 'more_stuff':"......" }, context_instance = RequestContext(request))

Make sure you have:

TEMPLATE_CONTEXT_PROCESSORS = (
     "django.contrib.auth.context_processors.csrf",
     .....
   )

in your settings.py file.

Note that this is really not a how to, this is just what I did to get mine working. The reason for posting it now is that I see so many people on forums discussing this topic resort to just turning the csrf_token off.

R – How to find out who is responsible for Django’s CSRF middleware

CSRF protection is being re-worked for Django 1.2. See the community wiki page CsrfProtection that discusses the current limitations and proposals for re-working. Personally I'm thinking about moving ahead and using Simon Willison's django-safeform project as a temporary solution until 1.2 is released.

Best Answer

Related Solutions

Django CSRF Framework having many failures

R – How to find out who is responsible for Django’s CSRF middleware

Related Topic