Skip to content

Fix CSRF incompatibility with custom CSRF_HEADER_NAME in sortable updates (refs #434)#435

Open
kirpit wants to merge 1 commit intojrief:masterfrom
kirpit:master
Open

Fix CSRF incompatibility with custom CSRF_HEADER_NAME in sortable updates (refs #434)#435
kirpit wants to merge 1 commit intojrief:masterfrom
kirpit:master

Conversation

@kirpit
Copy link
Copy Markdown

@kirpit kirpit commented Mar 7, 2026

Respect custom CSRF_HEADER_NAME in sortable update requests

Pass Django's CSRF header setting from admin context to sortable config and use it when sending drag-and-drop update POST requests. Keep backward compatibility by falling back to X-CSRFToken.

Add a regression test that verifies:

  • custom CSRF header is exposed in sortable config
  • default header is rejected when CSRF_HEADER_NAME is customized
  • custom header succeeds for adminsortable2_update

Refs #434

@dbca-serkank
Respect custom CSRF_HEADER_NAME in sortable update requests
b539f08 
Pass Django's CSRF header setting from admin context to sortable config
and use it when sending drag-and-drop update POST requests. Keep
backward compatibility by falling back to X-CSRFToken.

Add a regression test that verifies:
- custom CSRF header is exposed in sortable config
- default header is rejected when CSRF_HEADER_NAME is customized
- custom header succeeds for adminsortable2_update

Refs jrief#434
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jrief jrief jrief approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kirpit @jrief @dbca-serkank