11👍
See answers below this for a better solution. Since I wrote this, a lot has changed. There are now better ways to disable CSRF.
I feel your pain. It’s not acceptable for a framework to change such fundamental functionality. Even if I want to start using this from now on, I have legacy sites on the same machine sharing a copy of django. Changes like this should require major version number revisions. 1.x –> 2.x.
Anyway, to fix it I just commented it out and have stopped updating Django as often.
File: django/middleware/csrf.py
Around line 160:
# check incoming token
# request_csrf_token = request.POST.get('csrfmiddlewaretoken', None)
# if request_csrf_token != csrf_token:
# if cookie_is_new:
# # probably a problem setting the CSRF cookie
# return reject("CSRF cookie not set.")
# else:
# return reject("CSRF token missing or incorrect.")
127👍
Yes, Django csrf framework can be disabled.
To manually exclude a view function from being handled by any CSRF middleware, you can use the csrf_exempt decorator, found in the django.views.decorators.csrf module. For example: (see doc)
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def my_view:
return Httpresponse("hello world")
..and then remove {% csrf_token %}
inside the forms from your template,or leave other things unchanged if you have not included it in your forms.
- [Django]-Factory-boy create a list of SubFactory for a Factory
- [Django]-How to TRUNCATE TABLE using Django's ORM?
- [Django]-How to make Django's DateTimeField optional?
82👍
You can disable this in middleware.
In your settings.py add a line to MIDDLEWARE_CLASSES:
MIDDLEWARE_CLASSES = (
myapp.disable.DisableCSRF,
)
Create a disable.py in myapp with the following
class DisableCSRF(object):
def process_request(self, request):
setattr(request, '_dont_enforce_csrf_checks', True)
Basically if you set the _dont_enforce_csrf_checks in your request, you should be ok.
- [Django]-Change a form value before validation in Django form
- [Django]-How to 'bulk update' with Django?
- [Django]-Get current user in Model Serializer
5👍
In general, you shouldn’t be disabling CSRF protection, since doing so opens up security holes. If you insist, though…
A new way of doing CSRF protection landed in trunk just recently. Is your site by chance still configured to do it the old way? Here are the docs for The New Way™ and here are the docs for The Old Way™.
- [Django]-Setting Django up to use MySQL
- [Django]-How to send a correct authorization header for basic authentication
- [Django]-You need to install postgresql-server-dev-X.Y for building a server-side extension or libpq-dev for building a client-side application
4👍
I simply tried removing the references to csrf middleware classes from my settings.py, it worked. Not sure if this is acceptable. Any comments?
Below two lines were removed –
'django.middleware.csrf.CsrfViewMiddleware',
'django.middleware.csrf.CsrfResponseMiddleware',
- [Django]-Django+Postgres: "current transaction is aborted, commands ignored until end of transaction block"
- [Django]-How can I render a tree structure (recursive) using a django template?
- [Django]-Get object by field other than primary key
1👍
my django version is 1.11. the middleware should be like this:
from django.utils.deprecation import MiddlewareMixin
class DisableCSRF(MiddlewareMixin):
def process_request(self, request):
setattr(request, '_dont_enforce_csrf_checks', True)
- [Django]-List_display – boolean icons for methods
- [Django]-How to use if/else condition on Django Templates?
- [Django]-Django or Django Rest Framework