stackoom
  简体   繁体   中英

Python - render with csrf protection

 原文  2013-07-01 16:07:55       python/ django/ csrf

Question

I've read several posts about csrf protection in Django, including Django's documentation , but I'm still quite confused in how to use it correctly.

The clearest part is the HTML one, but the Python's one is kinda confusing.

HTML

{% csrf_token %} inside the form

Python 

c = {}
c.update(csrf(request))

You need it in every form when displaying and requesting the information, don't you?

Then, how do you include this csrf protection in the return render() ? Is this correct?

return render(request,'index.html',{'var':var_value})

or should I include the c somewhere like in the Python documentation example ( return render_to_response("a_template.html", c) ). Or, if it's correct, is it included in the request var?

And, when not needing to use csrf because I don't have any form. Would this be the right form to return values to a template?

return render(request,'index.html',{'var':var_value})

3 answers

solution1
 3 ACCPTED  2013-07-01 16:23:06

The point of using the render shortcut is that it then runs all the context processors automatically. Context processors are useful little functions that add various things to the template context every time a template is rendered. And there is a built-in context processor that already adds the CSRF token for you. So, if you use render , there is nothing more to do other than to output the token in the template.

solution2
 0  2013-07-01 16:11:01

As far as I remember Django has its own middleware for the csrf protection that handles everthing transparently for you. Just include the {% csrf_token %} inside you forms. CSRF token is mandatory for POST requests (except you use the @csrf_exempt decorator). So a form would be: 

<form action="." method="post">
{% csrf_token %}
 your input fields and submit button...
</form>

Hope this helps.

solution3
 0  2013-07-01 16:14:51

As long as you have the "django.middleware.csrf.CsrfViewMiddleware" listed in your MIDDLEWARE_CLASSES variable in the settings file you should be to just have {% csrf_token %} in your templates.

There's a lot more useful info in the docs: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Implementing CSRF protection in a Python REST API CSRF protection on Django FormView Django CSRF Protection Issue CSRF protection on AJAX authentication in Flask Django + Caddy = CSRF protection issues Django CSRF Protection Fails During Testing CSRF Protection in a Flask Framework that uses Dash CSRF protection to a view with a download api request Django forms with CSRF protection in IOS 14+ Using CSRF protection with WTForms-Alchemy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM