Author: lukeplant
Date: 2009-10-27 07:11:56 -0500 (Tue, 27 Oct 2009)
New Revision: 11667
Modified:
django/trunk/docs/ref/contrib/csrf.txt
django/trunk/docs/releases/1.2-alpha.txt
Log:
Added explicit notes about the need to update any customised templates for
contrib apps for CSRF changes
Modified: django/trunk/docs/ref/contrib/csrf.txt
===================================================================
--- django/trunk/docs/ref/contrib/csrf.txt 2009-10-27 10:46:04 UTC (rev
11666)
+++ django/trunk/docs/ref/contrib/csrf.txt 2009-10-27 12:11:56 UTC (rev
11667)
@@ -172,9 +172,13 @@
views (just as you had before). It is strongly recommended to install
``CsrfViewMiddleware`` and ``CsrfResponseMiddleware``, as described above.
-(Note that contrib apps, such as the admin, have been updated to use the
+Note that contrib apps, such as the admin, have been updated to use the
``csrf_protect`` decorator, so that they are secured even if you do not add the
-``CsrfViewMiddleware`` to your settings).
+``CsrfViewMiddleware`` to your settings. However, if you have suuplied
+customised templates to any of the view functions of contrib apps (whether
+explicitly via a keyword argument, or by overriding built-in templates), **you
+MUST update them** to include the ``csrf_token`` template tag as described
+above, or they will stop working.
Assuming you have followed the above, all views in your Django site will now be
protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements
Modified: django/trunk/docs/releases/1.2-alpha.txt
===================================================================
--- django/trunk/docs/releases/1.2-alpha.txt 2009-10-27 10:46:04 UTC (rev
11666)
+++ django/trunk/docs/releases/1.2-alpha.txt 2009-10-27 12:11:56 UTC (rev
11667)
@@ -13,6 +13,11 @@
will be removed completely in Django 1.4, in favour of a template tag that
should be inserted into forms.
+ * All contrib apps use a ``csrf_protect`` decorator to protect the view. This
+ requires the use of the csrf_token template tag in the template, so if you
+ have used custom templates for contrib views, you MUST READ THE UPGRADE
+ INSTRUCTIONS to fix those templates.
+
* ``CsrfViewMiddleware`` is included in :setting:`MIDDLEWARE_CLASSES` by
default. This turns on CSRF protection by default, so that views that accept
POST requests need to be written to work with the middleware. Instructions
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
