Webhooks: fix 403 Forbidden errors (csrf check)

* csrf_exempt must be applied to View.dispatch, not View.post. * In base WebhookTestCase, enable Django test Client enforce_csrf_checks. (Test Client by default disables CSRF protection.) Closes #19
2025-12-20 03:41:05 -05:00 · 2016-05-31 11:54:18 -07:00
parent 34af81aee6
commit af0e36ab65
3 changed files with 19 additions and 2 deletions
--- a/anymail/webhooks/base.py
+++ b/anymail/webhooks/base.py
@@ -104,11 +104,14 @@ class AnymailBaseWebhookView(AnymailBasicAuthMixin, View):

    http_method_names = ["post", "head", "options"]

+    @method_decorator(csrf_exempt)
+    def dispatch(self, request, *args, **kwargs):
+        return super(AnymailBaseWebhookView, self).dispatch(request, *args, **kwargs)
+
    def head(self, request, *args, **kwargs):
        # Some ESPs verify the webhook with a HEAD request at configuration time
        return HttpResponse()

-    @method_decorator(csrf_exempt)
    def post(self, request, *args, **kwargs):
        # Normal Django exception handling will do the right thing:
        # - AnymailWebhookValidationFailure will turn into an HTTP 400 response