Hi Wim,
Your suggestion sounds something like Simon's SafeForm. While some
elements of that proposal may end up in Django, it turns out that
implementing SafeForm as the default solution requires *bigger*
changes to existing code than adding the csrf_token, because you would
need to pass additional info from the request to Form for it to be
able to do the CSRF checks. It also only works if you are using
Django Forms and rendering them via {{ form }} (instead of field-by-
field, for instance).
If you want to see how we got to where we are, have a look at this
thread: http://groups.google.com/group/django-
developers/browse_thread/thread/3d2dc750082103dc/f3beb18c27fb7152
(OK, that was a nasty trick - the thread is huge, we discussed this
nearly to death, but that's why I'm not going to repeat all the
arguments here).
Also, you can use CsrfResponseMiddleware as an interim measure to stop
your code from breaking, so the change to require csrf_token isn't
quite so bad.
Thanks,
Luke
--
"It is a truth universally acknowledged, that a single man in
possession of a good fortune, must be in want of a wife." (Jane
Austen)
Luke Plant || http://lukeplant.me.uk/
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
