Jul 4, 2011

Django: upgrading django from 1.1 to 1.2.5 and CSRF protection modifications

Greetings!
Yesterday I completed a quick upgrade from django version 1.1 to oldest supported 1.2.5. I had a lot of background for doing so:
- Fist my hosting has django 1.2.5 already installed.
- Second I had some thoughts on using old stuff. It's better to evolve in Djngo version too :)
- Third and the main: Newly found on Google social authentication plugin was the final dot in my decision...

So I'll try to provide My experiences on migrating (updating) my project's Django from version 1.1 (developed on it) to oldest now supported 1.2.5.

Let's get started.

1. Read the release 1.2 docs. 
I needed a quick solution. In general I had some issues with site giving me errors with {csrf_token} not present in a form's POST request.

To handle this and IMHO main issue upon upgrading you have to handle Cross Site Request Forgery protection backwards incompatible upgrade.  You can read official django docs about new CSRF protection and/or use this quick manual.

2. Add CSRF Middlewares to your settings.MIDDLEWARE_CLASSES
You need to add 'django.middleware.csrf.CsrfViewMiddleware', and 'django.middleware.csrf.CsrfResponseMiddleware', to your MIDDLEWARE_CLASSES and change olde one beginning with 'django.contrib.csrf.middleware. ...' if there persisted any.

3. Fix existing forms  
Now you need to add {{ csrf_token }} inside all forms posted by HTML methods. Note that forms must be submitted not by Javascript of some kind! or if like it was in my case jQuery plugin to override POST method takes all form data and simply submits it. So Javascript in my case wasn't a problem.
so for e.g. you new form header might look like:

<form action="" method="post">{% csrf_token %}


4. Finally polish errors appeared
Now that is don you need to add @csrf_exempt view decorator to views which take POST requests without a form or use anyhow POST request in order to work properly.
So your view decorated may look like:

from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def my_view(request):
    return HttpResponse('Hello world')

I know this is not a right way to do it but the quickest to fix issues IMHO.


Thoughts/suggestions? please drop me a comment below...

No comments:

Post a Comment