Skip to main content

Django: upgrading django from 1.1 to 1.2.5 and CSRF protection modifications

Greetings!
Yesterday I completed a quick upgrade from django version 1.1 to oldest supported 1.2.5. I had a lot of background for doing so:
- Fist my hosting has django 1.2.5 already installed.
- Second I had some thoughts on using old stuff. It's better to evolve in Djngo version too :)
- Third and the main: Newly found on Google social authentication plugin was the final dot in my decision...

So I'll try to provide My experiences on migrating (updating) my project's Django from version 1.1 (developed on it) to oldest now supported 1.2.5.

Let's get started.

1. Read the release 1.2 docs. 
I needed a quick solution. In general I had some issues with site giving me errors with {csrf_token} not present in a form's POST request.

To handle this and IMHO main issue upon upgrading you have to handle Cross Site Request Forgery protection backwards incompatible upgrade.  You can read official django docs about new CSRF protection and/or use this quick manual.

2. Add CSRF Middlewares to your settings.MIDDLEWARE_CLASSES
You need to add 'django.middleware.csrf.CsrfViewMiddleware', and 'django.middleware.csrf.CsrfResponseMiddleware', to your MIDDLEWARE_CLASSES and change olde one beginning with 'django.contrib.csrf.middleware. ...' if there persisted any.

3. Fix existing forms  
Now you need to add {{ csrf_token }} inside all forms posted by HTML methods. Note that forms must be submitted not by Javascript of some kind! or if like it was in my case jQuery plugin to override POST method takes all form data and simply submits it. So Javascript in my case wasn't a problem.
so for e.g. you new form header might look like:

<form action="" method="post">{% csrf_token %}


4. Finally polish errors appeared
Now that is don you need to add @csrf_exempt view decorator to views which take POST requests without a form or use anyhow POST request in order to work properly.
So your view decorated may look like:

from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def my_view(request):
    return HttpResponse('Hello world')

I know this is not a right way to do it but the quickest to fix issues IMHO.


Thoughts/suggestions? please drop me a comment below...

Comments

Popular posts from this blog

Time Capsule for $25

The real article name might be something like:  Configuring Raspbery Pi to serve like a Time Capsule with Netatalk 3.0 for Mountain Lion.  But it's too long ;) Here I will describe the process of using Raspberry Pi like a Time Machine in my network. To be able to backup your MAC's remotely (Like it would be NAS of some kind). It assumes you have a Raspberry Pi and have installed a Raspbian there and have a ssh connection, or somehow having access to it's console. Refer to my previous article for details . Now that we have a Pi that is ready for action let's animate it. So to make it suit you as a Time Capsule (NAS) for your MAC's you need to do those basic steps: - connect and configure USB hard drive(s) - install support of HFS+ filesystem to be able to use MAC's native filesystem - make mount (auto-mount on boot) of your hard drive - install Avahi and Netatalk demons - configure Netatalk daemon to make it all serve as a Time Machine - configure ...

Django: Resetting Passwords (with internal tools)

I have had a task recently. It was about adding a forms/mechanism for resetting a password in our Django based project. We have had our own registration system ongoing... It's a corporate sector project. So you can not go and register yourself. Admins (probably via LDAP sync) will register your email/login in system. So you have to go there and only set yourself a password. For security reasons you can not register. One word. First I've tried to find standart decision. From reviewed by me were: django-registration and django password-reset . These are nice tools to install and give it a go. But I've needed a more complex decision. And the idea was that own bicycle is always better. So I've thought of django admin and that it has all the things you need to do this yourself in no time. (Actually it's django.contrib.auth part of django, but used out of the box in Admin UI) You can find views you need for this in there. they are: password_reset password_reset_...

CouchDB restoring deleted/updated documents and their data

We are using CouchDB for production and happy with it. It is much more lightweight rather then MongoDB yet powerful. (For our needs at least). But sometimes you have situations that some code deleted/spoiled your Couch Database data. We had some bugs leading to deleting indexes. However compaction have not been run and here is the decision. There are several ways for different situations. I'll try to cover them all. So for deleted CouchDB documents you need to: 1. Make sure your document with this id is Deleted. To do it you need to request CouchDB for this document. E.g. with this string: $db/$id Where  $db  is your CouchDB database name and  $id  is your deleted document id it should return something like this: { "error" : "not_found" , "reason" : "deleted" } 2. Get all the revisions of the deleted document. With this request: $db/$id?revs= true &open_revs=all Where $db is your CouchDB database name and $id is ...