View decorators before CSRF verification?

I have a function based view that should only respond to GET and HEAD requests so I used the @require_safe decorator.

@require_safe

def myview(request):

    # logic

so the expected response from a POST request is a 405 Response Not Allowed.

Using Postman to send a POST to the corresponding url, I actually get Forbidden 403, CSRF Verification Failed since the default     'django.middleware.csrf.CsrfViewMiddleware' is being used in MIDDLEWARE_CLASSES to protect all views. This must be happening because the CSRF middleware checks occur before view specific decorator function checks like @require_safe, @require_GET, etc.

Is this something to be bothered about? This is a request for advice and discussion rather than debugging a particular problem. I think I would prefer if there were a way for Django to check for view decorator compliance first because I think a 405 response is more descriptive and appropriate for the attempted action. 

However, if there were some middleware to check view decorators and that middleware class was ordered earlier than the CsrfViewMiddleware, caution would be needed - Django builtin view decorators seem safe, but user defined view decorators may allow POSTs without checking the csrftoken. Thoughts?

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/3fd55d48-bced-429b-9748-c225250ef549%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.