mirror of
https://github.com/django/django.git
synced 2024-12-01 15:42:04 +01:00
Added explicit notes about the need to update any customised templates for contrib apps for CSRF changes
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11667 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
f6ef3fd941
commit
f00ad4168e
@ -172,9 +172,13 @@ you will have a working installation but without any CSRF protection for your
|
|||||||
views (just as you had before). It is strongly recommended to install
|
views (just as you had before). It is strongly recommended to install
|
||||||
``CsrfViewMiddleware`` and ``CsrfResponseMiddleware``, as described above.
|
``CsrfViewMiddleware`` and ``CsrfResponseMiddleware``, as described above.
|
||||||
|
|
||||||
(Note that contrib apps, such as the admin, have been updated to use the
|
Note that contrib apps, such as the admin, have been updated to use the
|
||||||
``csrf_protect`` decorator, so that they are secured even if you do not add the
|
``csrf_protect`` decorator, so that they are secured even if you do not add the
|
||||||
``CsrfViewMiddleware`` to your settings).
|
``CsrfViewMiddleware`` to your settings. However, if you have suuplied
|
||||||
|
customised templates to any of the view functions of contrib apps (whether
|
||||||
|
explicitly via a keyword argument, or by overriding built-in templates), **you
|
||||||
|
MUST update them** to include the ``csrf_token`` template tag as described
|
||||||
|
above, or they will stop working.
|
||||||
|
|
||||||
Assuming you have followed the above, all views in your Django site will now be
|
Assuming you have followed the above, all views in your Django site will now be
|
||||||
protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements
|
protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements
|
||||||
|
@ -13,6 +13,11 @@ changes that developers must be aware of:
|
|||||||
will be removed completely in Django 1.4, in favour of a template tag that
|
will be removed completely in Django 1.4, in favour of a template tag that
|
||||||
should be inserted into forms.
|
should be inserted into forms.
|
||||||
|
|
||||||
|
* All contrib apps use a ``csrf_protect`` decorator to protect the view. This
|
||||||
|
requires the use of the csrf_token template tag in the template, so if you
|
||||||
|
have used custom templates for contrib views, you MUST READ THE UPGRADE
|
||||||
|
INSTRUCTIONS to fix those templates.
|
||||||
|
|
||||||
* ``CsrfViewMiddleware`` is included in :setting:`MIDDLEWARE_CLASSES` by
|
* ``CsrfViewMiddleware`` is included in :setting:`MIDDLEWARE_CLASSES` by
|
||||||
default. This turns on CSRF protection by default, so that views that accept
|
default. This turns on CSRF protection by default, so that views that accept
|
||||||
POST requests need to be written to work with the middleware. Instructions
|
POST requests need to be written to work with the middleware. Instructions
|
||||||
|
Loading…
Reference in New Issue
Block a user