0
0
mirror of https://github.com/django/django.git synced 2024-12-01 15:42:04 +01:00

Added explicit notes about the need to update any customised templates for contrib apps for CSRF changes

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11667 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2009-10-27 12:11:56 +00:00
parent f6ef3fd941
commit f00ad4168e
2 changed files with 11 additions and 2 deletions

View File

@ -172,9 +172,13 @@ you will have a working installation but without any CSRF protection for your
views (just as you had before). It is strongly recommended to install
``CsrfViewMiddleware`` and ``CsrfResponseMiddleware``, as described above.
(Note that contrib apps, such as the admin, have been updated to use the
Note that contrib apps, such as the admin, have been updated to use the
``csrf_protect`` decorator, so that they are secured even if you do not add the
``CsrfViewMiddleware`` to your settings).
``CsrfViewMiddleware`` to your settings. However, if you have suuplied
customised templates to any of the view functions of contrib apps (whether
explicitly via a keyword argument, or by overriding built-in templates), **you
MUST update them** to include the ``csrf_token`` template tag as described
above, or they will stop working.
Assuming you have followed the above, all views in your Django site will now be
protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements

View File

@ -13,6 +13,11 @@ changes that developers must be aware of:
will be removed completely in Django 1.4, in favour of a template tag that
should be inserted into forms.
* All contrib apps use a ``csrf_protect`` decorator to protect the view. This
requires the use of the csrf_token template tag in the template, so if you
have used custom templates for contrib views, you MUST READ THE UPGRADE
INSTRUCTIONS to fix those templates.
* ``CsrfViewMiddleware`` is included in :setting:`MIDDLEWARE_CLASSES` by
default. This turns on CSRF protection by default, so that views that accept
POST requests need to be written to work with the middleware. Instructions