[Changeset] r11672 - django/trunk/django/template

Tue, 27 Oct 2009 14:27:24 -0700 

Author: lukeplant
Date: 2009-10-27 16:27:09 -0500 (Tue, 27 Oct 2009)
New Revision: 11672

Modified:
   django/trunk/django/template/__init__.py
Log:
Fixed #12095 - login and other contrib views failing if template rendered using 
inclusion tag.

The {% csrf_token %} tag is unable to get its value if a template is
rendered using an inclusion_tag, since that creates a brand new Context,
rather than using the existing one.  Since this is a common pattern, and we
need CSRF protection to be as simple and easy as possible, we special case
the csrf_token and copy it from the parent context to the new context.

A more elegant and general solution may appear in future, but this is good
enough for now.



Modified: django/trunk/django/template/__init__.py
===================================================================
--- django/trunk/django/template/__init__.py    2009-10-27 20:57:13 UTC (rev 
11671)
+++ django/trunk/django/template/__init__.py    2009-10-27 21:27:09 UTC (rev 
11672)
@@ -942,8 +942,14 @@
                         else:
                             t = get_template(file_name)
                         self.nodelist = t.nodelist
-                    return self.nodelist.render(context_class(dict,
-                            autoescape=context.autoescape))
+                    new_context = context_class(dict, 
autoescape=context.autoescape)
+                    # Copy across the CSRF token, if present, because inclusion
+                    # tags are often used for forms, and we need instructions
+                    # for using CSRF protection to be as simple as possible.
+                    csrf_token = context.get('csrf_token', None)
+                    if csrf_token is not None:
+                        new_context['csrf_token'] = csrf_token
+                    return self.nodelist.render(new_context)
 
             compile_func = curry(generic_tag_compiler, params, defaults, 
getattr(func, "_decorated_function", func).__name__, InclusionNode)
             compile_func.__doc__ = func.__doc__


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to