CSRF middleware
- From:
- Luke Tucker
- Date:
- 2010-06-11 @ 17:12
Hey,
I noticed in the recent profile work that the CSRF middleware has been
enabled globally
http://github.com/GeoNode/geonode/commit/6316a68687c3c5b17776c83e0126eddbd432f99a
I think currently this is breaking almost everything that does a POST since
we have not enabled this in the past and do not have tokens present in forms
(especially ones generated by javascript...). It seems like a generally
good thing to have enabled imo, but is this something we want enabled for
all views? If so, we need do a more careful sweep for things doing POSTs.
If not, we should use the csrf_protect decorator in the places where it is
specifically necessary.
- Luke