How to disable Django's CSRF validation?

前端 未结 9 1217
梦毁少年i
梦毁少年i 2020-11-30 21:23

I have commented out csrf processor and middleware lines in settings.py:

122 
123 TEMPLATE_CONTEXT_PROCESSORS = (
124     \'django.contrib.auth.         


        
相关标签:
9条回答
  • 2020-11-30 22:00

    @WoooHaaaa some third party packages use 'django.middleware.csrf.CsrfViewMiddleware' middleware. for example i use django-rest-oauth and i have problem like you even after disabling those things. maybe these packages responded to your request like my case, because you use authentication decorator and something like this.

    0 讨论(0)
  • 2020-11-30 22:10

    The answer might be inappropriate, but I hope it helps you

    class DisableCSRFOnDebug(object):
        def process_request(self, request):
            if settings.DEBUG:
                setattr(request, '_dont_enforce_csrf_checks', True)
    

    Having middleware like this helps to debug requests and to check csrf in production servers.

    0 讨论(0)
  • 2020-11-30 22:11

    In setting.py in MIDDLEWARE you can simply remove/comment this line:

    'django.middleware.csrf.CsrfViewMiddleware',
    
    0 讨论(0)
  • 2020-11-30 22:14

    To disable CSRF for class based views the following worked for me.
    Using django 1.10 and python 3.5.2

    from django.views.decorators.csrf import csrf_exempt
    from django.utils.decorators import method_decorator
    
    @method_decorator(csrf_exempt, name='dispatch')
    class TestView(View):
        def post(self, request, *args, **kwargs):
            return HttpResponse('Hello world')
    
    0 讨论(0)
  • 2020-11-30 22:15

    For Django 2:

    from django.utils.deprecation import MiddlewareMixin
    
    
    class DisableCSRF(MiddlewareMixin):
        def process_request(self, request):
            setattr(request, '_dont_enforce_csrf_checks', True)
    

    That middleware must be added to settings.MIDDLEWARE when appropriate (in your test settings for example).

    Note: the setting isn't not called MIDDLEWARE_CLASSES anymore.

    0 讨论(0)
  • 2020-11-30 22:16

    The problem here is that SessionAuthentication performs its own CSRF validation. That is why you get the CSRF missing error even when the CSRF Middleware is commented. You could add @csrf_exempt to every view, but if you want to disable CSRF and have session authentication for the whole app, you can add an extra middleware like this -

    class DisableCSRFMiddleware(object):
    
    def __init__(self, get_response):
        self.get_response = get_response
    
    def __call__(self, request):
        setattr(request, '_dont_enforce_csrf_checks', True)
        response = self.get_response(request)
        return response
    

    I created this class in myapp/middle.py Then import this middleware in Middleware in settings.py

    MIDDLEWARE = [
        'django.middleware.common.CommonMiddleware',
        'django.middleware.security.SecurityMiddleware',
        'django.contrib.sessions.middleware.SessionMiddleware',
        'django.middleware.common.CommonMiddleware',
        #'django.middleware.csrf.CsrfViewMiddleware',
        'myapp.middle.DisableCSRFMiddleware',
        'django.contrib.auth.middleware.AuthenticationMiddleware',
        'django.contrib.messages.middleware.MessageMiddleware',
        'django.middleware.clickjacking.XFrameOptionsMiddleware',
    
    ]
    

    That works with DRF on django 1.11

    0 讨论(0)
提交回复
热议问题