Add CSRF protection to all POSTable views in Djblets.
Review Request #5571 — Created March 2, 2014 and submitted
All views in Djblets that handle HTTP POST requests are now decorated
with a@csrf_protect
decorator, and have matching{% csrf_token %}
tags
in the templates. This adds a layer of protection we didn't have before.The API is unaffected, as adding CSRF protection to APIs sort of defeats
the purpose of APIs. There are other protections we may want to make
here, but that's a separate task.
Tested each view in Review Board, with the
{% csrf_token %}
tags removed.
Saw the CSRF validation failures. Added back the tags, and was able to POST.
Description | From | Last Updated |
---|---|---|
This should be left-aligned, no? |
david |