Login/Register
Django class-based view - DeleteView - How to disable confirmation requirement
Asked Answered
Solved djangoconfirmationdjango-class-based-views
C

2

5

I am switching to the class-based views. I also use JavaScript to confirm any deletion on the client side. Django DeleteView requires a delete confirmation template which I don't care about.

Is there any simple way of disabling the confirmation on any kind of deletes in Django?

class EntryDeleteView(DeleteView):
    model = Entry
    success_url = reverse_lazy('entry_list')   # go back to the list on successful del
    template_name = 'profiles/entry_list.html' # go back to the list on successful del

    @method_decorator(login_required)
    def dispatch(self, *args, **kwargs):
        return super(EntryDeleteView, self).dispatch(*args, **kwargs)
Charlatan answered 3/3, 2012 at 0:56 Comment(1)
adding this to the delete view allows deleting via get, but I will go with a post solution instead. [def get(self, *args, **kwargs): return self.delete(*args, **kwargs)]Charlatan
M
11

You should make a POST query from clientside (with AJAX or POSTing a form). That's because if you'll allow to delete something by GET, your service will be vulnerable to CSRF. Someone will send your admin a in email or somehow else, and you'll be in trouble.

Myall answered 3/3, 2012 at 1:17 Comment(3)
I have login required on all deletions, wouldn't that be sufficient?Charlatan
No. Look: i'm evil hacker and I know the email of your site's Admin. I send him a link to some page with cute kitten images, and append something like <img src="your_site/admin/profile/delete" width=1 height=1> to that page. Admin looks on kitten and gets his whole profile deleted. Browsers do not allow to POST on other sites, and Django has some CSRF protection, so this will not work with POST, that's why delete requires a POST.Myall
What ilvar forgot to mention is that the admin is likely to have an active, logged-in session to his own site, thus bypassing the login step.Latinalatinate
S
1

The DeleteView renders the confirmation page on GET and deletes the object if you use a POST or DELETE. If your JS does a POST to the url after confirmation it should work like you want.

Stalinism answered 3/3, 2012 at 1:15 Comment(1)
yep, I can get js just send the post after the confirmation.Charlatan

© 2022 - 2024 — McMap. All rights reserved.