django1/django/views/decorators/csrf.py

from functools import wraps

from django.middleware.csrf import CsrfViewMiddleware, get_token
from django.utils.decorators import decorator_from_middleware

csrf_protect = decorator_from_middleware(CsrfViewMiddleware)
csrf_protect.__name__ = "csrf_protect"
csrf_protect.__doc__ = """
This decorator adds CSRF protection in exactly the same way as
CsrfViewMiddleware, but it can be used on a per view basis.  Using both, or
using the decorator multiple times, is harmless and efficient.
"""


class _EnsureCsrfToken(CsrfViewMiddleware):
    # Behave like CsrfViewMiddleware but don't reject requests or log warnings.
    def _reject(self, request, reason):
        return None


requires_csrf_token = decorator_from_middleware(_EnsureCsrfToken)
requires_csrf_token.__name__ = 'requires_csrf_token'
requires_csrf_token.__doc__ = """
Use this decorator on views that need a correct csrf_token available to
RequestContext, but without the CSRF protection that csrf_protect
enforces.
"""


class _EnsureCsrfCookie(CsrfViewMiddleware):
    def _reject(self, request, reason):
        return None

    def process_view(self, request, callback, callback_args, callback_kwargs):
        retval = super().process_view(request, callback, callback_args, callback_kwargs)
        # Force process_response to send the cookie
        get_token(request)
        return retval


ensure_csrf_cookie = decorator_from_middleware(_EnsureCsrfCookie)
ensure_csrf_cookie.__name__ = 'ensure_csrf_cookie'
ensure_csrf_cookie.__doc__ = """
Use this decorator to ensure that a view sets a CSRF cookie, whether or not it
uses the csrf_token template tag, or the CsrfViewMiddleware is used.
"""


def csrf_exempt(view_func):
    """Mark a view function as being exempt from the CSRF view protection."""
    # view_func.csrf_exempt = True would also work, but decorators are nicer
    # if they don't have side effects, so return a new function.
    def wrapped_view(*args, **kwargs):
        return view_func(*args, **kwargs)
    wrapped_view.csrf_exempt = True
    return wraps(view_func)(wrapped_view)
Removed a bunch more Python 2.4 workarounds now that we don't support that version. Refs #15702 -- thanks to jonash for the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15927 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-03-28 10:11:19 +08:00			`from functools import wraps`
Moved contrib.csrf.* to core code. There is stub code for backwards compatiblity with Django 1.1 imports. The documentation has been updated, but has been left in docs/contrib/csrf.txt for now, in order to avoid dead links to documentation on the website. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2009-10-27 08:36:34 +08:00
Sorted imports with isort; refs #23860. 2015-01-28 20:35:27 +08:00			`from django.middleware.csrf import CsrfViewMiddleware, get_token`
Refs #23919 -- Removed django.utils.decorators.available_attrs() usage. It's only needed to workaround a bug on Python 2. 2017-01-22 02:20:17 +08:00			`from django.utils.decorators import decorator_from_middleware`
Sorted imports with isort; refs #23860. 2015-01-28 20:35:27 +08:00
Moved contrib.csrf.* to core code. There is stub code for backwards compatiblity with Django 1.1 imports. The documentation has been updated, but has been left in docs/contrib/csrf.txt for now, in order to avoid dead links to documentation on the website. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2009-10-27 08:36:34 +08:00			`csrf_protect = decorator_from_middleware(CsrfViewMiddleware)`
			`csrf_protect.__name__ = "csrf_protect"`
			`csrf_protect.__doc__ = """`
			`This decorator adds CSRF protection in exactly the same way as`
			`CsrfViewMiddleware, but it can be used on a per view basis. Using both, or`
			`using the decorator multiple times, is harmless and efficient.`
			`"""`

Fixed #14565 - No csrf_token on 404 page. This solution doesn't have the negative side-effects of [14356]. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14377 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2010-10-28 19:47:15 +08:00
			`class _EnsureCsrfToken(CsrfViewMiddleware):`
Refs #27656 -- Updated django.views docstring verbs according to PEP 257. 2017-01-25 04:36:07 +08:00			`# Behave like CsrfViewMiddleware but don't reject requests or log warnings.`
Fixed #14565 - No csrf_token on 404 page. This solution doesn't have the negative side-effects of [14356]. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14377 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2010-10-28 19:47:15 +08:00			`def _reject(self, request, reason):`
			`return None`


			`requires_csrf_token = decorator_from_middleware(_EnsureCsrfToken)`
			`requires_csrf_token.__name__ = 'requires_csrf_token'`
Fix a small docstring bug in the CSRF decorators. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15026 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2010-12-23 05:49:20 +08:00			`requires_csrf_token.__doc__ = """`
Fixed #14565 - No csrf_token on 404 page. This solution doesn't have the negative side-effects of [14356]. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14377 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2010-10-28 19:47:15 +08:00			`Use this decorator on views that need a correct csrf_token available to`
			`RequestContext, but without the CSRF protection that csrf_protect`
			`enforces.`
			`"""`

Fixed #15354 - provide method to ensure CSRF token is always available for AJAX requests Thanks to sayane for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16192 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-05-10 05:35:24 +08:00
			`class _EnsureCsrfCookie(CsrfViewMiddleware):`
			`def _reject(self, request, reason):`
			`return None`

			`def process_view(self, request, callback, callback_args, callback_kwargs):`
Refs #23919 -- Replaced super(ClassName, self) with super(). 2017-01-21 21:13:44 +08:00			`retval = super().process_view(request, callback, callback_args, callback_kwargs)`
Refs #27656 -- Updated django.views docstring verbs according to PEP 257. 2017-01-25 04:36:07 +08:00			`# Force process_response to send the cookie`
Fixed #15354 - provide method to ensure CSRF token is always available for AJAX requests Thanks to sayane for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16192 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-05-10 05:35:24 +08:00			`get_token(request)`
			`return retval`


			`ensure_csrf_cookie = decorator_from_middleware(_EnsureCsrfCookie)`
			`ensure_csrf_cookie.__name__ = 'ensure_csrf_cookie'`
			`ensure_csrf_cookie.__doc__ = """`
			`Use this decorator to ensure that a view sets a CSRF cookie, whether or not it`
			`uses the csrf_token template tag, or the CsrfViewMiddleware is used.`
			`"""`


Deprecated csrf_response_exempt and csrf_view_exempt decorators With the removal of CsrfResponseMiddleware, csrf_response_exempt serves no purposes, and csrf_exempt and csrf_view_exempt perform the same function. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15956 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2011-03-31 01:35:41 +08:00			`def csrf_exempt(view_func):`
Refs #27656 -- Updated django.views docstring verbs according to PEP 257. 2017-01-25 04:36:07 +08:00			`"""Mark a view function as being exempt from the CSRF view protection."""`
			`# view_func.csrf_exempt = True would also work, but decorators are nicer`
			`# if they don't have side effects, so return a new function.`
Moved contrib.csrf.* to core code. There is stub code for backwards compatiblity with Django 1.1 imports. The documentation has been updated, but has been left in docs/contrib/csrf.txt for now, in order to avoid dead links to documentation on the website. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2009-10-27 08:36:34 +08:00			`def wrapped_view(args, *kwargs):`
			`return view_func(args, *kwargs)`
			`wrapped_view.csrf_exempt = True`
Refs #23919 -- Removed django.utils.decorators.available_attrs() usage. It's only needed to workaround a bug on Python 2. 2017-01-22 02:20:17 +08:00			`return wraps(view_func)(wrapped_view)`