[Changeset] r16734 - in django/trunk: . docs/topics/http

[noreply]

Author: jacob
Date: 2011-09-09 10:20:16 -0700 (Fri, 09 Sep 2011)
New Revision: 16734

Modified:
   django/trunk/AUTHORS
   django/trunk/docs/topics/http/file-uploads.txt
   django/trunk/docs/topics/http/middleware.txt
Log:
Fixed #16384: warn against accessing request.POST/REQUEST in middleware.

Thanks, Tom Christie.

Modified: django/trunk/AUTHORS
===================================================================
--- django/trunk/AUTHORS        2011-09-09 17:14:47 UTC (rev 16733)
+++ django/trunk/AUTHORS        2011-09-09 17:20:16 UTC (rev 16734)
@@ -120,6 +120,7 @@
     Sengtha Chay <seng...@e-khmer.com>
     ivan.chelub...@gmail.com
     Bryan Chow <bryan at verdjn dot com>
+    Tom Christie <t...@tomchristie.com>
     Antonis Christofides <anth...@itia.ntua.gr>
     Michal Chruszcz <tr...@pld-linux.org>
     Can Burak Çilingir <canbu...@cs.bilgi.edu.tr>

Modified: django/trunk/docs/topics/http/file-uploads.txt
===================================================================
--- django/trunk/docs/topics/http/file-uploads.txt      2011-09-09 17:14:47 UTC 
(rev 16733)
+++ django/trunk/docs/topics/http/file-uploads.txt      2011-09-09 17:20:16 UTC 
(rev 16734)
@@ -238,6 +238,8 @@
 data on the fly, render progress bars, and even send data to another storage
 location directly without storing it locally.
 
+.. _modifying_upload_handlers_on_the_fly:
+
 Modifying upload handlers on the fly
 ------------------------------------
 

Modified: django/trunk/docs/topics/http/middleware.txt
===================================================================
--- django/trunk/docs/topics/http/middleware.txt        2011-09-09 17:14:47 UTC 
(rev 16733)
+++ django/trunk/docs/topics/http/middleware.txt        2011-09-09 17:20:16 UTC 
(rev 16734)
@@ -97,6 +97,21 @@
 view; it'll return that :class:`~django.http.HttpResponse`. Response
 middleware is always called on every response.
 
+.. note::
+    Accessing :attr:`request.POST <django.http.HttpRequest.POST>` or 
+    :attr:`request.REQUEST <django.http.HttpRequest.REQUEST>` inside 
+    middleware from ``process_request`` or ``process_view`` will prevent any
+    view running after the middleware from being able to
+    :ref:`modify the upload handlers for the 
+    request <modifying_upload_handlers_on_the_fly>`, and should normally be
+    avoided.
+
+    The :class:`~django.middleware.csrf.CsrfViewMiddleware` class can be
+    considered an exception, as it provides the
+    :func:`~django.views.decorators.csrf.csrf_exempt` and
+    :func:`~django.views.decorators.csrf.csrf_protect` decorators which allow
+    views to explicitly control at what point the CSRF validation should occur.
+
 .. _template-response-middleware:
 
 ``process_template_response``

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.