CSRF Middleware breaks move-page and change-status

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Add 'django.contrib.csrf.middleware.CsrfMiddleware' to MIDDLEWARE_CLASSES
2. In the admin interface, move a page or change its published status in
the list view

What is the expected output? What do you see instead?
Expect page to be moved or status to change, instead receive 403 Forbidden
response

What version of the product are you using? On what operating system?
Pages rev. 339, MPTT rev. 119, Opensuse 11

Please provide any additional information below.
http://docs.djangoproject.com/en/dev/ref/contrib/csrf/
Is there a way to send the CSRF token in the calls to move-page and
change-status?

Original issue reported on code.google.com by jzy...@gmail.com on 14 Feb 2009 at 6:39

[GoogleCodeExporter]

Hum sure it should exist an easy way. Would check when I got some time.

Original comment by batiste....@gmail.com on 16 Feb 2009 at 8:41

[GoogleCodeExporter]

Original comment by batiste....@gmail.com on 26 Feb 2009 at 12:21

• Changed state: Accepted

[GoogleCodeExporter]

The problem is that django's CsrfMiddleware needs a <form>-tag where it can 
insert
the token. But with AJAX, POST-requests don't need any form tags and the 
approach of
CsrfMiddleware fails. This is more a django bug than a page-cms bug. The good 
news is
that it's fixed in django-trunk and the upcoming django 1.1 (the check is simply
disabled for AJAX request). 

http://code.djangoproject.com/ticket/8127
http://code.djangoproject.com/changeset/9554

closing as WontFix, altough 'upstream' would perhaps be more fitting :)

Original comment by piquad...@gmail.com on 26 Feb 2009 at 10:59

• Changed state: WontFix