This form subclass helps protect against cross-site request forgery by adding a hidden field named csrf_token
to forms. The form must be initialized with the request as a keyword argument, both with and without POST data:
my_form = MySignedForm(request=request)
...
my_form = MySignedForm(request.POST, request=request)
Upon validation, a PermissionDenied
exception will be raised if forgery is detected.
If any security details have been overlooked in this recipe, please leave a comment.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | from django import forms
from django.core.exceptions import PermissionDenied
from django.contrib.csrf.middleware import _make_token, _ERROR_MSG
class HiddenInputWithoutID(forms.HiddenInput):
def render(self, name, value, attrs=None):
if attrs and 'id' in attrs:
del attrs['id']
return super(HiddenInputWithoutID, self).render(name, value, attrs=attrs)
class SignedForm(forms.Form):
csrf_token = forms.CharField(max_length=32, widget=HiddenInputWithoutID)
def __init__(self, *args, **kwargs):
request = kwargs.pop('request', None)
if request:
csrf_token = _make_token(request.session.session_key)
kwargs.setdefault('initial', {})['csrf_token'] = csrf_token
return super(SignedForm, self).__init__(*args, **kwargs)
def clean_csrf_token(self):
csrf_token = self.initial.get('csrf_token')
value = self.cleaned_data.get('csrf_token')
if csrf_token != value:
raise PermissionDenied(_ERROR_MSG)
return value
|
More like this
- Template tag - list punctuation for a list of items by shapiromatron 11 months, 2 weeks ago
- JSONRequestMiddleware adds a .json() method to your HttpRequests by cdcarter 11 months, 3 weeks ago
- Serializer factory with Django Rest Framework by julio 1 year, 6 months ago
- Image compression before saving the new model / work with JPG, PNG by Schleidens 1 year, 7 months ago
- Help text hyperlinks by sa2812 1 year, 7 months ago
Comments
@Tarken: Greater control. See the Limitations section on that page. Also, I consider the approach of parsing and rewriting the entire response inherently ugly. :)
#
Please login first before commenting.