Re: [Django] #34830: csrf_failure view missing context processors

Tue, 07 Nov 2023 12:19:45 -0800 

#34830: csrf_failure view missing context processors
-----------------------------+------------------------------------------
     Reporter:  Alex Henman  |                    Owner:  Natalia Bidart
         Type:  Bug          |                   Status:  assigned
    Component:  CSRF         |                  Version:  dev
     Severity:  Normal       |               Resolution:
     Keywords:               |             Triage Stage:  Accepted
    Has patch:  0            |      Needs documentation:  0
  Needs tests:  0            |  Patch needs improvement:  0
Easy pickings:  0            |                    UI/UX:  0
-----------------------------+------------------------------------------

Comment (by Natalia Bidart):

 Thank you Tim for the pointer. After some investigation, I see that
 `server_error` and `bad_request` suffer from the same issue (`request` is
 not passed when rendering the loaded/custom template).

 I did some git history analysis and both `page_not_found` and
 `server_error` rendering got a `RequestContext` added in #688
 ([https://github.com/django/django/commit/dc4f726df9 commit]), but
 `server_error` got it quickly replaced by a `Context` in
 
[https://github.com/django/django/commit/10229c4a1e8532e31310a6e2a74fe12ed2b3b26b
 this commit] to "lessen the chance that the 500 view would raise an error
 in itself".

 OTOH, `permission_denied` was built with a `RequestContext` from the start
 when fixing #9847 in
 
[https://github.com/django/django/commit/1ca6e9b9e24240033349c93b05902c79c0a25bbb
 this commit].

 Then,
 
[https://github.com/django/django/commit/d228c1192ed59ab0114d9eba82ac99df611652d2
 bad_request] and
 
[https://github.com/django/django/commit/16945f0e9c57aeabadb6f2e2f150a2687455be40
 csrf_failure] views were "born" without getting the request passed when
 rendering the template, and one could argue that these should be doing a
 similar template handling to what `page_not_found` is doing.

 So, at this point, I'm guessing we should leave `server_error` as is, but
 I'm inclined to fix both `bad_request` and `csrf_failure` views,
 effectively matching what `page_not_found` provides. I'm unclear on
 whether we should re-title this ticket as you originally proposed, and
 create a new one to "fix" the mentioned views; or re-title this ticket to
 something like "Missing context processors in bad_request and csrf_failure
 views" and tackle the same conceptual fix in one (follow up) PR.

 Any preference/guidance? Thanks again! I have TIL a lot today
 :partying_face:

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34830#comment:18>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018bab70c9f1-9ea684de-8ecd-4091-ae96-85117f0f16ad-000000%40eu-central-1.amazonses.com.

Reply via email to