Commit Graph

4818 Commits

Author SHA1 Message Date
Russell Keith-Magee 08d521efa0 Fixed #12121 -- Modified __reduce__ on a model to avoid an infinite recursion problem that occurs on Python 2.4. Thanks to emulbreh for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11691 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-11-01 03:04:20 +00:00
Brian Rosner 8dd4a28721 Fixed #11872 -- Instantiate the correct model in BaseInlineFormSet.__init__ when instance is None. Thanks tobias.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11688 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-30 09:11:56 +00:00
Luke Plant 5a0aab41ee Allow CsrfResponseMiddleware to be used if templates cannot be updated.
For the case where someone is using contrib views with custom templates that
they cannot update to use the template tag, it should be possible to use
CsrfResponseMiddleware.  This requires that 'csrf_response_exempt' is not
used for the admin views.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11683 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-30 00:17:29 +00:00
Russell Keith-Magee 96658ef2d2 Fixed #12057 -- Corrected regression of caching performance when a model contained a callable default. Thanks to Michael Thornhill for the excellent assistance tracking this problem.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11681 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-29 14:32:01 +00:00
Luke Plant c5c7791e91 Improved HTML in CSRF debug template - <code> instead of <tt>
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11680 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-29 14:17:39 +00:00
Luke Plant 5df19aa99e Small improvement to CSRF failure template.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11676 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 22:20:03 +00:00
Luke Plant 905dba3694 Misc clarifications in csrf middleware comments
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 21:31:20 +00:00
Luke Plant 43c2ed0eb3 Fixed #12095 - login and other contrib views failing if template rendered using inclusion tag.
The {% csrf_token %} tag is unable to get its value if a template is
rendered using an inclusion_tag, since that creates a brand new Context,
rather than using the existing one.  Since this is a common pattern, and we
need CSRF protection to be as simple and easy as possible, we special case
the csrf_token and copy it from the parent context to the new context.

A more elegant and general solution may appear in future, but this is good
enough for now.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11672 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 21:27:09 +00:00
Jacob Kaplan-Moss 4281bf3db0 Fixed #11057: having no actions in the admin (`actions=None`) no longer messes up the layout. Thanks, rvdrijst.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11670 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 20:56:12 +00:00
Luke Plant d0b900e6f5 Slight change to CSRF error messages to make debugging easier.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11669 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 14:04:21 +00:00
Luke Plant c2ffe94d9a Removed unused import.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11664 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:49:33 +00:00
Luke Plant 7230a995ce Moved contrib.csrf.* to core code.
There is stub code for backwards compatiblity with Django 1.1 imports.

The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00
Luke Plant 8e70cef9b6 Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django.  It includes:

 * removing the dependency on the session framework.
 * deprecating CsrfResponseMiddleware, and replacing with a core template tag.
 * turning on CSRF protection by default by adding CsrfViewMiddleware to
   the default value of MIDDLEWARE_CLASSES.
 * protecting all contrib apps (whatever is in settings.py)
   using a decorator.

For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.

Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.

Details of the rationale for these changes is found here:

http://code.djangoproject.com/wiki/CsrfProtection

As of this commit, the CSRF code is mainly in 'contrib'.  The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
Jacob Kaplan-Moss d1da261417 Fixed #11371: Made `django.test.Client.put()` work for non-form-data PUT (i.e. JSON, etc.). Thanks, phyfus.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11656 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 15:02:54 +00:00
Jarek Zgoda e32b042d6b Polish translation updated
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11655 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-25 20:09:49 +00:00
Karen Tracey c54b8ec2f5 Fixed #12079: Changed has_results to get a single result, thus preventing exists() from always returning True on backends that support chunked reads.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11654 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-25 16:32:07 +00:00
Luke Plant a02a6fab66 Fixed #9163 - CsrfMiddleware needs to reset ETag header
Thanks to carljm for report and patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11650 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 10:45:58 +00:00
Luke Plant c44fdf6a1e Fixed #12067 - check_dependencies in contrib.admin.sites not triggered using new style admin include
Thanks to robhudson for report and patch.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11648 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 10:13:24 +00:00
Luke Plant 2b2f92ae8e Fixed a bug in r11646 - refs #11402
The one line of code not covered by a test... ;-)


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11647 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 00:37:01 +00:00
Jacob Kaplan-Moss b79702b2de Fixed #11402: added a `QuerySet.exists()` method. Thanks, Alex Gaynor.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11646 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 00:28:39 +00:00
Brian Rosner 0d1177ae99 Moved _get_foreign_key call after testing for fk_name fixing a broken test.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11643 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-23 20:47:29 +00:00
Jacob Kaplan-Moss 8be1bb2268 Fixed #11625: added comment moderation via admin actions.
This is BACKWARDS INCOMPATIBLE if you were using the completely undocumented moderation view from 1.1. That view's been removed in favor of the admin actions.

Thanks, Thejaswi Puthraya.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11639 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-23 19:22:31 +00:00
Luke Plant 162fade2b7 Fixed #12060 - equality tests between User and SimpleLazyObject-wrapped User failed.
Also added more tests for SimpleLazyObject

Thanks to ericholscher for report.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11637 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-20 14:11:08 +00:00
Luke Plant c6e8e5d9f0 Fixed non-standard introspection support in LazyObject.
LazyObject called a public method ``get_all_members`` on wrapped objects in
order to allow introspection.  This could easily cause name clashes with
existing methods on wrapped objects, and so has been changed to use the
standard methods.  This could be slightly backwards-incompatible, in obscure
cases, if the undocumented LazyObject has been used externally.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11636 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-19 21:48:06 +00:00
Luke Plant 22be3d7612 Fixed #12049 - LazyObject-wrapped User breaks queries in template tags
Thanks to chipx86 for the report and patch.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11634 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-19 21:13:22 +00:00
Brian Rosner cb7a3262b5 Moved the call to _get_foreign_key to run in all cases catching incorrect inline setup sooner.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11631 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-19 19:17:20 +00:00
Brian Rosner 5fc35c9caf Fixed #11709 — Pass inline fk_name attribute when grabbing foreign key to test for exclusion. Thanks yishaibeeri for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11630 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-19 19:17:07 +00:00
Justin Bronn 69535b7b13 The `OGRGeometry.coord_dim` property may now be set; implemented a work-around for an OGR bug that changed geometries to 3D after transformation. Refs #11433.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11628 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-17 17:32:25 +00:00
Luke Plant e5ab340d17 Licence block for code added in r11586
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11627 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-15 20:25:20 +00:00
Luke Plant a2d8acbacd Fixed a regression on Python 2.6 caused by r11623
This might fix #12037, but I cannot reproduce that bug.
Refs #12037



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11625 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-15 14:12:34 +00:00
Luke Plant c161bf21f0 Fixed #6552, #12031 - Make django.core.context_processors.auth lazy to avoid "Vary: Cookie"
Thanks to olau@iola.dk, Suor for the report



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11623 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-14 18:09:13 +00:00
Jacob Kaplan-Moss b30cba4e2b Fixed #11993: fixed the the `floatformat` filter on `NaN` values in Python 2.6.3. Thanks, kklimonda.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11619 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-12 16:53:23 +00:00
Luke Plant c46ddbf1fc Fixed #8274 - allow custom forms for auth 'login' and 'password_change' views
Thanks to julien for the suggestion and patch, and SmileyChris for work on the patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11618 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-12 15:32:24 +00:00
Jacob Kaplan-Moss 9f8287a3f1 SECURITY ALERT: Corrected regular expressions for URL and email fields.
Certain email addresses/URLs could trigger a catastrophic backtracking situation, causing 100% CPU and server overload. If deliberately triggered, this could be the basis of a denial-of-service attack.

This security vulnerability was disclosed in public, so we're skipping our
normal security release process to get the fix out as soon as possible.

This is a security related update. A full announcement, as well as backports for the 1.1.X and 1.0.X series will follow.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11603 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-09 20:57:59 +00:00
Russell Keith-Magee 8aee95ca3e Fixed #11995 -- Modified the admin site definition for comments so that users are shown as a raw id list. Thanks to James Bennett for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11601 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-08 13:30:31 +00:00
Luke Plant 175ab92d6b Removed some unused code and improved docstring on auto_adapt_to_methods
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11600 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-01 16:15:27 +00:00
Luke Plant 6e3a72585a Added 'key_prefix' keyword argument to cache_page()
This was available before r11586, but undocumented.  It has now been
re-added with documentation and explicit support, as it seems like a useful
feature and people were using it before.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11595 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-28 21:54:54 +00:00
Luke Plant a97648a7e0 Corrected regressions introduced in r11586 and r11593
I read the order of arguments in the docs incorrectly, doh!


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11594 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-26 19:39:42 +00:00
Luke Plant d6c2286712 Improved error messages when people use cache_page in undocumented and now unsupported ways.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11593 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-23 23:47:53 +00:00
Luke Plant 0a7dc8d590 Fixed typo in docstring for decorator_from_middleware_with_args.
Thanks for the report, kmike



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11590 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-22 21:21:51 +00:00
Luke Plant af02f38e02 Rewrote user_passes_test to use auto_adapt_to_methods, removing the need for _CheckLogin
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11587 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-21 22:34:45 +00:00
Luke Plant afeafcd492 Fixed #6371 - several decorators don't work with bound methods.
This involved changing the way the internal function
decorator_from_middleware works slightly, breaking some code that relied on
the old behaviour.  As a result, it is much simpler, but cache_page has been
made slightly more complex to cope with the change.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11586 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-21 22:31:51 +00:00
Russell Keith-Magee d56c1ab7f0 Fixed #11886 -- Corrected handling of F() expressions that use parentheses. Thanks to Brent Hagany for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11581 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-16 12:09:47 +00:00
Justin Bronn 62180a6b44 Fixed #11827: Can now calculate extent in Oracle on tables with one point.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11577 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-13 17:40:46 +00:00
Russell Keith-Magee 85d4baae39 Fixed #11746 -- Marked a string for translation in the FR localflavor. Thanks to iapain for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11552 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-13 04:40:17 +00:00
Russell Keith-Magee 7ae2f70722 Fixed #11862 -- Corrected an error in the Hebrew translation. Thanks to Adam Rimon for the fix.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11550 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-13 03:09:35 +00:00
Russell Keith-Magee d2321e37eb Fixed #11660 -- Corrected the CONTENT_TYPE and CONTENT_LENGTH headers provided by the mod_python handler. Thanks to Nowell Strite and Tareque Hossain for the report and fix.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11528 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-12 21:28:01 +00:00
Justin Bronn 1aef132090 Fixed #11624: `render_to_kmz` no longer balks on non-ASCII data.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11527 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-12 18:35:08 +00:00
Joseph Kocherhans 677ddcbb04 Fixed #10752. Added more advanced bash completion. Thanks, Arthur Koziel.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11526 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-11 23:15:59 +00:00
Luke Plant 7c53c2618d Fixed #10968 - Form.errors should use Form.error_class.
Thanks for report and initial patch, matehat.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11498 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-11 10:47:40 +00:00