CSRF compatability in Django 1.2

Issue #1064 duplicate
issackelly
created an issue

No posts work if 'django.middleware.csrf.CsrfViewMiddleware' middleware is enabled, which is default in django 1.2.

Presumably the legacy method: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#legacy-method could be used, but there aren't notes about that anywhere in the satchmo install.

Comments (5)

  1. Chris Moffitt repo owner

    This is a valid issue. I haven't spent much time trying to figure out how much work to convert to the new csrf functionality. I'd also prefer to keep Satchmo 0.9.1 compatible for 1.1.X but am not 100% convinced.

  2. Anonymous

    It looks like the fix would be to install {% csrf_token %} on the forms.

    I think (unverified) that the issue with that would be that the template tag would throw an error in older versions where that template tag is not used.

    If I get a chance to test some of it, I'll post here.

  3. issackelly reporter

    I've come up with a couple of options I think. It's possible to upgrade to 1.2 through just inserting the csrf template tags. It could be possible to have a temporary migration script to maintain backwards compatability with an extra install step in one or the other (remove all instances of the token.. or add them)

    The other options, I don't think are preferred, because they are largely workarounds for what will be the default functionality moving forward, but you could skip the template tag, and add in the (old) required middleware. That will be removed as of Django 1.4 so it's not really a good time to make that change.

    There's an 'csrf_migration_helper' script in the extras folder that could most likely be used to insert the tag where necessary with some modification.

    You could also insert the tag, and have some templatetag that only applies to versions <=1.1.1 that ignores the csrf_token

  4. Chris Moffitt repo owner

    We could discuss the option with folks on the list about whether or not we should just bite the bullet and make our next release require Django 1.2.

    If this were a nice to have feature request I wouldn't do it but this is a security feature and we should always try to do the latest from a security perspective. If we think it's the best option to move forward and add csrf, we could ask the list and see how much pain it causes people.

  5. Log in to comment