To get the benefit of Django 1.2's new CSRF protection, all POST forms will need a special token. Here is a quick command that runs through templates adding the token:
find . -type f -name "*.html" -exec sed -i \
's|\(<form[^>]*method="post"[^>]*>\)\({% csrf_token %}\)\?|\1{% csrf_token %}|g' \
{} \;
CSRF docs? TLDR
I recently ported my handful of sites to 1.2 and was irked by both the invasiveness of the changes required by the CSRF tools and all the seeming caveats in the docs. So here's the barebones what you need to do:
- any form that does a POST, make sure a {% csrf_token %} in there
- add 'django.middleware.csrf.CsrfViewMiddleware' to your middleware settings
Ignore Csrf
Maybe you don't want to deal with Csrf at all. Add the following middleware above (or before) your Csrf middleware:
class IgnoreCsrfMiddleware(object):
def process_request(self, request):
request.csrf_processing_done = True
Comments (2)
Commenting has been disabled for this entry
memo
This is quite handy :-)
June 17, 2010 at 4:04 a.m. ( permalink )
Luke Plant
You forgot to mention that you also need to ensure that the template is rendered using RequestContext. There is a script in extras/ which might help with that.
June 17, 2010 at 6:56 p.m. ( permalink )