Django CSRF framework cannot be disabled and is breaking my site

Question

The django csrf middleware can't be disabled. I've commented it out from my Middleware of my project but my logins are failing due to missing CSRF issues. I'm working from the Django trunk. How can CSRF cause issues if it is not enabled in middleware?

I have to disable it because there are lots of POST requests on my site that CSRF just breaks. Any feedback on how I can completely disable CSRF in a django trunk project?

The "new' CSRF framework from Django's trunk is also breaking an external site that is coming in and doing a POST on a URL I'm giving them (this is part of a restful API.) I can't disable the CSRF framework as I said earlier, how can I fix this?

Answer 1

Yes, Django csrf framework can be disabled.

To manually exclude a view function from being handled by any CSRF middleware, you can use the csrf_exempt decorator, found in the django.views.decorators.csrf module. For example: (see doc)

from django.views.decorators.csrf import csrf_exempt                                           @csrf_exempt                                                                                   def my_view:                                                                                 return Httpresponse("hello world") 

..and then remove {% csrf_token %} inside the forms from your template,or leave other things unchanged if you have not included it in your forms.

Answer 2

You can disable this in middleware.

In your settings.py add a line to MIDDLEWARE_CLASSES:

MIDDLEWARE_CLASSES = (      myapp.disable.DisableCSRF,   ) 

Create a disable.py in myapp with the following

class DisableCSRF(object):     def process_request(self, request):         setattr(request, '_dont_enforce_csrf_checks', True) 

Basically if you set the _dont_enforce_csrf_checks in your request, you should be ok.