Re-introduce Django CSRF middleware

It is a security issue not to include the Django CSRF middle. Also, since we don't have a reason to alter the Django middleware list and order, we should use the same list.
2026-01-28 08:03:36 +00:00 · 2014-08-17 19:29:31 +05:30 · 2014-08-17 19:29:31 +05:30 · 65cdcb1bc3
commit 65cdcb1bc3
parent 96aa493992
1 changed files with 3 additions and 1 deletions
--- a/plinth.py
+++ b/plinth.py
@ -175,10 +175,12 @@ def configure_django():
        LOGIN_REDIRECT_URL='apps:index',
        LOGOUT_URL='lib:logout',
        MIDDLEWARE_CLASSES=(
-            'django.middleware.common.CommonMiddleware',
            'django.contrib.sessions.middleware.SessionMiddleware',
+            'django.middleware.common.CommonMiddleware',
+            'django.middleware.csrf.CsrfViewMiddleware',
            'django.contrib.auth.middleware.AuthenticationMiddleware',
            'django.contrib.messages.middleware.MessageMiddleware',
+            'django.middleware.clickjacking.XFrameOptionsMiddleware',
            'modules.first_boot.middleware.FirstBootMiddleware',
        ),
        ROOT_URLCONF='urls',