Hi all,
For those following trunk, the CSRF changes have now landed (apart
from Simon's proposed refinements).
At first I thought this would be perfectly seamless, not requiring any
immediate action, and it therefore didn't warrant a note to django-
devs. However, there are circumstances when developers MUST update
their code immediately to avoid breakage.
If you have supplied custom templates to contrib views that accept
POST requests (e.g. auth login etc.), the template may need updating.
The steps needed are fully described in the docs, but in short:
Inside all <form method="POST"> elements, add {% csrf_token %}
That's it. Apologies to anyone who has already experience breakage
because of this.
This brings up another question - I don't know what our policy for
backwards compatibility with respect to templates is. Obviously if
you completely override an entire template for something like an admin
page, you cannot expect everything to keep working — otherwise it
would be impossible to add any new features to the admin. Also there
is the problem of inheritance etc. — do we guarantee that the
inheritance/include chain of all blocks will stay the same? Sometimes
you need to move anything around — 'refactor' if you will — and a
commitment not to change anything here would be painful (and it's not
what we've done so far, although we have minimized unnecessary
changes).
How much do we consider those who have overridden templates by setting
TEMPLATE_DIRS so that a custom template (e.g. admin/base_site.html) is
chosen over the default one? It's a common pattern, although in some
ways it could be considered a hack.
Is it different for views that have explicit hooks for customisation
(like a template_name keyword argument)? For the latter, I think the
view function docstring should document everything that will be in the
template context if we are making guarantees about compatibility. But
that would not have avoided the current problem of needing to insert
something extra.
What about CSS/javascript? I know there have been a number of changes
here which have caused breakage if people have overridden templates in
certain ways, but it seems unreasonable to require the admin CSS to
remain organized as it is now. The docs for this are in slight
disarray — I can only find some obsolete docs which say that they
don't apply any more.
It's actually quite hard to define backwards compatibility in this
area, much more so than with Python code.
Luke
--
Environmentalists are much too concerned with planet earth. Their
geocentric attitude prevents them from seeing the greater picture
-- lots of planets are much worse off than earth is.
Luke Plant || http://lukeplant.me.uk/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
