我有一个 django 视图,允许用户从数据库中搜索和获取数据。不对数据库进行任何更改。我还意识到 csrf 令牌出现在 url 中。我在网上搜索并了解到情况不应该如此,并且在发出
GET查看:
class SearchResultsListView(ListView):
model = Processor
template_name = 'finder/search_results.html'
paginate_by = 10 # Number of results per page
def get_queryset(self):
query = self.request.GET.get("q")
return Processor.objects.filter(
Q(name__icontains=query) |
Q(standard_transaction_fee__icontains=query) |
Q(accepted_payment_methods__icontains=query) |
Q(available_merchant_countries__icontains=query) |
Q(supported_business_types__icontains=query) |
Q(basic_info__icontains=query) |
Q(restricted_prohibited_business__icontains=query)
)
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
context['query'] = self.request.GET.get('q', '')
return context
html:
<div class="search-container-container">
<div class="search-results-container">
<!-- Top search bar -->
<div class="search-header">
<form action="{% url 'search_results' %}" method="GET" class="search-search-form">
{%csrf_token%}
<input
type="text"
name="q"
class="search-input"
placeholder="Search processors..."
value="{{ request.GET.q }}"
aria-label="Search"
>
<button type="submit" class="search-button">
Search
</button>
</form>
</div>
不,CSRF 令牌用于非安全方法 [mdn-doc],因此 PATCH、POST、PUT、DELETE。 Django 只检查这些方法的 CSRF,因为安全方法被认为不会有副作用。
CsrfViewMiddlewareclass CsrfViewMiddleware(MiddlewareMixin): def process_view(self, request, callback, callback_args, callback_kwargs): # … if request.method in ('GET', 'HEAD', 'OPTIONS', 'TRACE'): return self._accept(request) # …
在 GET 请求上强制执行此操作也没有多大意义:如上所述,GET 请求不应该创建、更新或删除数据。