Re: [Django] #15008: Convert admin views to use TemplateResponse

Mon, 23 May 2011 06:25:41 -0700 

#15008: Convert admin views to use TemplateResponse
-------------------------------------+-------------------------------------
               Reporter:  acdha      |          Owner:  acdha
                   Type:             |         Status:  closed
  Cleanup/optimization               |      Component:  contrib.admin
              Milestone:             |       Severity:  Normal
                Version:  SVN        |       Keywords:  templateresponse
             Resolution:  fixed      |      Has patch:  1
           Triage Stage:  Accepted   |    Needs tests:  0
    Needs documentation:  1          |  Easy pickings:  0
Patch needs improvement:  1          |
-------------------------------------+-------------------------------------

Comment (by lukeplant):

 I'm about to fix to #16004, and I've realised this will render [16087]
 almost completely useless, because `csrf_protect` is applied to all or
 almost all the views affected here, and the fix will make all those views
 render the respective `TemplateResponse` objects, so they can no longer be
 customised. This is a necessary fix to make the admin CSRF protection (and
 any other CSRF protection) work in the absence of `CsrfViewMiddleware` -
 otherwise you'll get 403 errors. (I'm actually experiencing this in my
 tests for one project. The tests use Twill, and so do more realistic
 testing than any of Django's built in tests).

 I should note that with my fix, none of the existing tests actually fail,
 because they don't test at what point the `TemplateResponse` is rendered.

 So, what to do? #16004 is a bug, and it's a serious one that ought to have
 been fixed in 1.3. This ticket is a feature that has been added since 1.3.
 That means it loses, as far as I can see. I brought this issue up here:
 http://groups.google.com/group/django-
 developers/browse_thread/thread/f96e982254fbe5c3?pli=1

 Can the relevant people please respond to this thread? Otherwise I will
 have to go ahead and fix #16004. Then the only sensible thing would be  to
 revert [16087].

-- 
Ticket URL: <https://code.djangoproject.com/ticket/15008#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to