[Django] #34830: csrf_failure view missing context processors

[Django]

#34830: csrf_failure view missing context processors
---------------------------------------+------------------------
               Reporter:  Alex Henman  |          Owner:  nobody
                   Type:  Bug          |         Status:  new
              Component:  CSRF         |        Version:  4.2
               Severity:  Normal       |       Keywords:
           Triage Stage:  Unreviewed   |      Has patch:  0
    Needs documentation:  0            |    Needs tests:  0
Patch needs improvement:  0            |  Easy pickings:  0
                  UI/UX:  0            |
---------------------------------------+------------------------
 The default `csrf_failure` view does not pass the request to the template
 rendering engine which means that all context processors are missing.

 This is problematic if you override the default `403_csrf.html` template
 without customising the view and are expecting the same default context
 you would get access to in other templates.

 ----

 I think the most straight forward way to replicate on a default Django
 deployment would be to add a custom `403_csrf.html` template to your
 templates dir and attempt to access from some of Django's built-in context
 processors e.g. `request` or `TIME_ZONE`

 ----

 The fix should be very straight forward unless there's a good reason not
 to pass the request to the template engine in this view. The view
 currently looks like this:

 {{{
 #!python
 def csrf_failure(request, reason="",
 template_name=CSRF_FAILURE_TEMPLATE_NAME):
     """
     Default view used when request fails CSRF protection
     """
     from django.middleware.csrf import REASON_NO_CSRF_COOKIE,
 REASON_NO_REFERER

     c = {
         "title": _("Forbidden"),
         ...
     }
     try:
         t = loader.get_template(template_name)
     except TemplateDoesNotExist:
         if template_name == CSRF_FAILURE_TEMPLATE_NAME:
             # If the default template doesn't exist, use the fallback
 template.
             with
 builtin_template_path("csrf_403.html").open(encoding="utf-8") as fh:
                 t = Engine().from_string(fh.read())
             c = Context(c)
         else:
             # Raise if a developer-specified template doesn't exist.
             raise
     return HttpResponseForbidden(t.render(c))
 }}}

 So it just needs modifying to `t.render(c, request)`

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34830>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018a88a40c86-66773557-33dd-43ff-8f1e-c9977ed608a2-000000%40eu-central-1.amazonses.com.