2👍
django.contrib.auth.views.PasswordResetView decorates its dispatch method with csrf_protect, where csrf_protect = decorator_from_middleware(CsrfViewMiddleware).
Wrapping with your csrf_exempt and the actual CsrfViewMiddleware, we have csrf_protect(csrf_exempt(csrf_protect(<bound method PasswordResetView.dispatch ...>))), where <bound method PasswordResetView.dispatch ...> is super().dispatch.
That can be reduced to csrf_protect(<bound method PasswordResetView.dispatch ...>).
We can trick CsrfViewMiddleware by setting request.csrf_processing_done = True:
class PasswordResetView(auth_views.PasswordResetView):
template_name = 'users/reset_password.html'
@method_decorator(csrf_exempt)
def dispatch(self, request, *args, **kwargs):
request.csrf_processing_done = True
return super().dispatch(request, *args, **kwargs)
Alternatively, you can set super().dispatch.__wrapped__.csrf_exempt = True but this has the side effect of also affecting other view classes that inherit auth_views.PasswordResetView, since super().dispatch.__wrapped__ is just <function PasswordResetView.dispatch ...>.