| from django.middleware.csrf import CsrfViewMiddleware |
| from django.utils.decorators import decorator_from_middleware, available_attrs |
| |
| try: |
| from functools import wraps |
| except ImportError: |
| from django.utils.functional import wraps # Python 2.4 fallback. |
| |
| csrf_protect = decorator_from_middleware(CsrfViewMiddleware) |
| csrf_protect.__name__ = "csrf_protect" |
| csrf_protect.__doc__ = """ |
| This decorator adds CSRF protection in exactly the same way as |
| CsrfViewMiddleware, but it can be used on a per view basis. Using both, or |
| using the decorator multiple times, is harmless and efficient. |
| """ |
| |
| |
| class _EnsureCsrfToken(CsrfViewMiddleware): |
| # We need this to behave just like the CsrfViewMiddleware, but not reject |
| # requests. |
| def _reject(self, request, reason): |
| return None |
| |
| |
| requires_csrf_token = decorator_from_middleware(_EnsureCsrfToken) |
| requires_csrf_token.__name__ = 'requires_csrf_token' |
| requires_csrf_token.__doc__ = """ |
| Use this decorator on views that need a correct csrf_token available to |
| RequestContext, but without the CSRF protection that csrf_protect |
| enforces. |
| """ |
| |
| def csrf_response_exempt(view_func): |
| """ |
| Modifies a view function so that its response is exempt |
| from the post-processing of the CSRF middleware. |
| """ |
| def wrapped_view(*args, **kwargs): |
| resp = view_func(*args, **kwargs) |
| resp.csrf_exempt = True |
| return resp |
| return wraps(view_func, assigned=available_attrs(view_func))(wrapped_view) |
| |
| def csrf_view_exempt(view_func): |
| """ |
| Marks a view function as being exempt from CSRF view protection. |
| """ |
| # We could just do view_func.csrf_exempt = True, but decorators |
| # are nicer if they don't have side-effects, so we return a new |
| # function. |
| def wrapped_view(*args, **kwargs): |
| return view_func(*args, **kwargs) |
| wrapped_view.csrf_exempt = True |
| return wraps(view_func, assigned=available_attrs(view_func))(wrapped_view) |
| |
| def csrf_exempt(view_func): |
| """ |
| Marks a view function as being exempt from the CSRF checks |
| and post processing. |
| |
| This is the same as using both the csrf_view_exempt and |
| csrf_response_exempt decorators. |
| """ |
| return csrf_response_exempt(csrf_view_exempt(view_func)) |