On Sat, Mar 21, 2009 at 11:24 AM, Alex Gaynor <[email protected]> wrote: > b) Having the admin be CSRF safe by default doesn't seam like a feature, it > feels like a bug, even if it's implementation gives everything a new > feature. That's just my thoughts though.
Personally I'd much rather have it actually *be* secure (and usable), but the current middleware just doesn't really cut it -- the method it uses is of such narrow applicability (and potentially can be screwed up by various other middlewares) that I don't think this is the right way to do it. I'd rather see the change backed out and Luke's improvements worked on to make sure we get something solid before this ends up in a release. -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
