Commit Graph

98 Commits

Author SHA1 Message Date
Tim Graham 5891fd3f89 [1.7.x] Fixed #21649 -- Added optional invalidation of sessions when user password changes.
Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews.

Backport of fd23c06023 from master
2014-04-05 13:01:03 -04:00
Aymeric Augustin 8b67fa7551 Revert "Reordered INSTALLED_APPS in default template, refs #22005"
This reverts commit a718fcf201.
2014-03-09 20:10:56 +01:00
Florian Apolloner a718fcf201 Reordered INSTALLED_APPS in default template, refs #22005 2014-02-11 09:01:48 +01:00
Aymeric Augustin 2ff93e027c Fixed #21829 -- Added default AppConfigs.
Thanks Russell for the report, Marc for the initial patch, Carl for the
final review, and everyone who contributed to the design discussion.
2014-01-25 10:41:56 +01:00
Aymeric Augustin 10e0cfc0e4 Fixed #21712 -- Moved autodiscover() to AdminConfig.ready().
Thanks Marc Tamlyn for the initial version of the patch.
2014-01-18 23:06:00 +01:00
Aymeric Augustin 23229061fc Removed LocaleMiddleware from settings template.
It was added in 3f1c7b7053.

Single language sites should always be translated in LANGUAGE_CODE,
regardless of the browser's Accept-Language. Having LocaleMiddleware
enabled can result in having some parts, like the admin, translated
in an unexpected language, typically if someone browses a non-English
website on a system set up in English. Since most websites won't be
translated in multiple languages — especially at the time they're
created — it's better not to enable LocaleMiddleware by default.

Thanks Ramiro for the feedback.
2013-04-05 13:08:50 +02:00
Aymeric Augustin 912b5d2a6b Fixed #19697 -- Added a deployment checklist. 2013-03-17 19:21:36 +01:00
Carl Meyer d51fb74360 Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 11:23:29 -07:00
Aymeric Augustin 3f1c7b7053 Simplified default project template.
Squashed commit of:

commit 508ec9144b35c50794708225b496bde1eb5e60aa
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Tue Jan 29 22:50:55 2013 +0100

    Tweaked default settings file.

    * Explained why BASE_DIR exists.
    * Added a link to the database configuration options, and put it in its
      own section.
    * Moved sensitive settings that must be changed for production at the
      top.

commit 6515fd2f1aa73a86dc8dbd2ccf512ddb6b140d57
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Tue Jan 29 14:35:21 2013 +0100

    Documented the simplified app & project templates in the changelog.

commit 2c5b576c2ea91d84273a019b3d0b3b8b4da72f23
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Tue Jan 29 13:59:27 2013 +0100

    Minor fixes in tutorials 5 and 6.

commit 55a51531be8104f21b3cca3f6bf70b0a7139a041
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Tue Jan 29 13:51:11 2013 +0100

    Updated tutorial 2 for the new project template.

commit 29ddae87bdaecff12dd31b16b000c01efbde9e20
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Tue Jan 29 11:58:54 2013 +0100

    Updated tutorial 1 for the new project template.

commit 0ecb9f6e2514cfd26a678a280d471433375101a3
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Tue Jan 29 11:29:13 2013 +0100

    Adjusted the default URLconf detection to account for the admin.

    It's now enabled by default.

commit 5fb4da0d3d09dac28dd94e3fde92b9d4335c0565
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Tue Jan 29 10:36:55 2013 +0100

    Added security warnings for the most sensitive settings.

commit 718d84bd8ac4a42fb4b28ec93965de32680f091e
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 23:24:06 2013 +0100

    Used an absolute path for the SQLite database.

    This ensures the settings file works regardless of which directory
    django-admin.py / manage.py is invoked from.

    BASE_DIR got a +1 from a BDFL and another core dev. It doesn't involve
    the concept of a "Django project"; it's just a convenient way to express
    relative paths within the source code repository for non-Python files.

    Thanks Jacob Kaplan-Moss for the suggestion.

commit 1b559b4bcda622e10909b68fe5cab90db6727dd9
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 23:22:40 2013 +0100

    Removed STATIC_ROOT from the default settings template.

    It isn't necessary in development, and it confuses beginners to no end.

    Thanks Carl Meyer for the suggestion.

commit a55f141a500bb7c9a1bc259bbe1954c13b199671
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 23:21:43 2013 +0100

    Removed MEDIA_ROOT/URL from default settings template.

    Many sites will never deal with user-uploaded files, and MEDIA_ROOT is
    complicated to explain.

    Thanks Carl Meyer for the suggestion.

commit 44bf2f2441420fd9429ee9fe1f7207f92dd87e70
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 22:22:09 2013 +0100

    Removed logging config.

    This configuration is applied regardless of the value of LOGGING;
    duplicating it in LOGGING is confusing.

commit eac747e848eaed65fd5f6f254f0a7559d856f88f
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 22:05:31 2013 +0100

    Enabled the locale middleware by default.

    USE_I18N is True by default, and doesn't work well without
    LocaleMiddleware.

commit d806c62b2d00826dc2688c84b092627b8d571cab
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 22:03:16 2013 +0100

    Enabled clickjacking protection by default.

commit 99152c30e6a15003f0b6737dc78e87adf462aacb
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 22:01:48 2013 +0100

    Reorganized settings in logical sections, and trimmed comments.

commit d37ffdfcb24b7e0ec7cc113d07190f65fb12fb8a
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 16:54:11 2013 +0100

    Avoided misleading TEMPLATE_DEBUG = DEBUG.

    According to the docs TEMPLATE_DEBUG works only when DEBUG = True.

commit 15d9478d3a9850e85841e7cf09cf83050371c6bf
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 16:46:25 2013 +0100

    Removed STATICFILES_FINDERS/TEMPLATE_LOADERS from default settings file.

    Only developers with special needs ever need to change these settings.

commit 574da0eb5bfb4570883756914b4dbd7e20e1f61e
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 16:45:01 2013 +0100

    Removed STATICFILES/TEMPLATES_DIRS from default settings file.

    The current best practice is to put static files and templates in
    applications, for easier testing and deployment.

commit 8cb18dbe56629aa1be74718a07e7cc66b4f9c9f0
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 16:24:16 2013 +0100

    Removed settings related to email reporting from default settings file.

    While handy for small scale projects, it isn't exactly a best practice.

commit 8ecbfcb3638058f0c49922540f874a7d802d864f
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Tue Jan 29 18:54:43 2013 +0100

    Documented how to enable the sites framework.

commit 23fc91a6fa67d91ddd9d71b1c3e0dc26bdad9841
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 16:28:59 2013 +0100

    Disabled the sites framework by default.

    RequestSite does the job for single-domain websites.

commit c4d82eb8afc0eb8568bf9c4d12644272415e3960
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Tue Jan 29 00:08:33 2013 +0100

    Added a default admin.py to the application template.

    Thanks Ryan D Hiebert for the suggestion.

commit 4071dc771e5c44b1c5ebb9beecefb164ae465e22
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 10:59:49 2013 +0100

    Enabled the admin by default.

    Everyone uses the admin.

commit c807a31f8d89e7e7fd97380e3023f7983a8b6fcb
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 10:57:05 2013 +0100

    Removed admindocs from default project template.

commit 09e4ce0e652a97da1a9e285046a91c8ad7a9189c
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 16:32:52 2013 +0100

    Added links to the settings documentation.

commit 5b8f5eaef364eb790fcde6f9e86f7d266074cca8
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 11:06:54 2013 +0100

    Used a significant example for URLconf includes.

commit 908e91d6fcee2a3cb51ca26ecdf12a6a24e69ef8
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 16:22:31 2013 +0100

    Moved code comments about WSGI to docs, and rewrote said docs.

commit 50417e51996146f891d08ca8b74dcc736a581932
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Jan 28 15:51:50 2013 +0100

    Normalized the default application template.

    Removed the default test that 1 + 1 = 2, because it's been committed
    way too many times, in too many projects.

    Added an import of `render` for views, because the first view will
    often be:

    def home(request):
        return render(request, "mysite/home.html")
2013-02-04 13:21:36 +01:00
Chris McDonald ee96f83ab0 Consistently indent comments in project template
Makes this file slightly more pep8 compliant.
2012-10-28 14:46:09 -07:00
Carl Meyer 751a7d0c32 Fixed #18518 -- Add warning re mod_wsgi and wsgi.py environ handling. 2012-09-27 20:35:57 -06:00
Tim Graham f7142b6111 Fixed #9920 - Clarfied empty string vs. localhost in settings database host.
Thanks chromano for the draft patch.
2012-09-01 09:03:05 -04:00
Aymeric Augustin 17f3e9258e Fixed #18397 -- Avoided referencing lawrence.com.
This commit includes multiple small related changes, see the ticket
for a full discussion.
2012-06-07 11:50:20 +02:00
Aymeric Augustin 00ec03fd44 Fixed #17733 -- Discouraged setting TIME_ZONE to None when USE_TZ is True. Thanks berdario for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17809 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-26 14:17:13 +00:00
Jannis Leidel 4219e2b7f8 Fixed #17920 -- Actually pass the full path of a newly created project or app in the template context as mentioned in the startproject docs. Many thanks to Preston Holmes for the initial patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17773 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-21 22:29:32 +00:00
Jannis Leidel a9a0f0b03f Fixed #17042 -- Extended startproject and startapp management commands to better handle custom app and project templates. Many thanks to Preston Holmes for his initial patch and Alex Gaynor, Carl Meyer, Donald Stufft, Jacob Kaplan-Moss and Julien Phalip for code reviewing.
* Added ability to pass the project or app directory path as the second argument
* Added ``--template`` option for specifying custom project and app templates
* Cleaned up admin_scripts tests a little while I was there

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17246 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-22 22:38:02 +00:00
Aymeric Augustin 9b1cb755a2 Added support for time zones. Thanks Luke Plant for the review. Fixed #2626.
For more information on this project, see this thread:
http://groups.google.com/group/django-developers/browse_thread/thread/cf0423bbb85b1bbf



git-svn-id: http://code.djangoproject.com/svn/django/trunk@17106 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-18 13:01:06 +00:00
Carl Meyer 145a77edc9 Fixed #16360 -- Added WSGI entrypoint to startproject layout, and enabled internal servers (runserver and runfcgi) to use an externally-defined WSGI application. Thanks to Armin Ronacher, Jannis Leidel, Alex Gaynor, ptone, and Jacob Kaplan-Moss.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17022 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-10-22 04:30:10 +00:00
Carl Meyer 38f1fe3b35 Fixed #15372 -- Switched to a startproject default layout that allows us to avoid sys.path hacks.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16964 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-10-13 05:56:15 +00:00
Carl Meyer 343004c4de Fixed #16568 -- Added RequireDebugFalse filter to prevent sending 500 error emails when DEBUG is True in projects with no explicit LOGGING setting. Thanks to Andreas Pelme for report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-16 16:41:38 +00:00
Ramiro Morales 26b8122087 Fixed #14675 -- Completed removal of `from django.conf.urls.default import *` usage.
This applies to both our own [test] code and documentation examples. Also:
 * Moved the functions and handlers from `django.conf.urls.defaults` up to
   `django.conf.urls` deprecating the former module.
 * Added documentation for `handler403`.
 * Tweaked the URLs topic document a bit.

Thanks to pupeno and cdestigter for their great work contributing patches.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16818 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-11 22:36:16 +00:00
Jannis Leidel 38a2444277 Fixed #16050 -- BACKWARDS-INCOMPATIBLE CHANGE: Moved static files of the admin to conventional file system location.
This also removes the need for ADMIN_MEDIA_PREFIX and replaces it with the convention to find admin's static files at STATIC_URL + 'admin/'.

Thanks to Jacob for the review and general help.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16487 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-30 09:06:19 +00:00
Carl Meyer 43503b093a Fixed #16288 -- Enabled django.request exception logger regardless of DEBUG setting.
Thanks Matt Bennett for report and draft patch; Vinay Sajip and Russell Keith-Magee for review.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16444 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-22 06:01:44 +00:00
Luke Plant 524c5fa07a Fixed #14261 - Added clickjacking protection (X-Frame-Options header)
Many thanks to rniemeyer for the patch!

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16298 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-30 22:27:47 +00:00
Adrian Holovaty f8495d2371 Fixed #15822 -- Removed references to the v1 postgresql backend (which has been removed). Thanks for the patch, aaugustin
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16034 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-17 20:45:06 +00:00
Ramiro Morales a797b7dba0 Fixed #14130 -- Made manage.py error reporting more useful when the settings.py file triggers import errors (in new projects). Thanks Setok for the report, mk and steph for their work.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15522 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-13 01:56:12 +00:00
Jannis Leidel ff4a24af51 Fixed whitespace errors in settings modules.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15501 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-12 19:11:42 +00:00
Carl Meyer 0ffa39f744 Refs #14675 - Added import of url() function in project template urls.py, added commented sample named url, and converted existing sample patterns to use url().
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15415 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-04 17:37:25 +00:00
Carl Meyer a158873488 We have always been at war with 'import *'.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15401 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-03 04:55:43 +00:00
Carl Meyer 76fb2bb0e2 Fixed some documentation and default-settings.py comments that were misleading about the purpose of STATIC_ROOT, and removed an unused import.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15384 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-01 14:28:07 +00:00
Jannis Leidel 544ab30ed7 Fixed #6218 -- Made MEDIA_URL and STATIC_URL require a trailing slash to ensure there is a consistent way to combine paths in templates. Thanks to Michael Toomim, Chris Heisel and Chris Beaven.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15130 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-02 01:33:11 +00:00
Jannis Leidel 33d8fcde8a Fixed #14693, #14709 -- Backwards incompatible change to rectify the confusion around the STATICFILES_URL and STATICFILES_ROOT settings.
* Two new global settings that will be used by -- **but are not limited to** -- the staticfiles app: STATIC_ROOT and STATIC_URL.

  * Moving the 'django.contrib.staticfiles.templatetags.staticfiles' template tag to the core ('django.templatetags.static') and renaming it to 'get_static_prefix'.

  * Moving the context processor 'django.contrib.staticfiles.context_processors.staticfiles' to the core ('django.core.context_processors.static') and renaming it to 'static'.

  * Paths in media definitions will use STATIC_URL as the prefix if the value is not None, and falls back to the previously used MEDIA_URL.

Thanks again to the community for constructive criticism and Carl and Russ for sanity-inducing discussions on IRC.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14592 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-17 15:36:26 +00:00
Adrian Holovaty 5844cdca38 Small grammar fix in 'user-uploaded files' comment from [14560]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14582 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-16 23:48:08 +00:00
Ramiro Morales 74f46c0ae2 Fixed #10650 -- Clarified description of MEDIA_ROOT in setting files. Thanks jjconti, tvon, vak, Muhammad Alkarouri and thiggins for their work.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14560 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-14 15:42:54 +00:00
Carl Meyer 4ba6348a00 Fixed #14598 -- Changed some 'domain.com' uses to 'example.com'
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14440 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-02 16:19:17 +00:00
Jannis Leidel cfc19f84de Fixed #12323 and #11582 -- Extended the ability to handle static files. Thanks to all for helping with the original app, the patch, documentation and general support.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14293 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-20 01:33:24 +00:00
Russell Keith-Magee 24acca4139 Fixed #12012 -- Added support for logging. Thanks to Vinay Sajip for his draft patch, and to the many people who gave feedback during development of the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13981 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 15:12:39 +00:00
Russell Keith-Magee f4dd38757c Fixed #13681 -- Added a commented out admindocs entry to the default INSTALLED_APPS for a new project. Thanks to elkan for the report, and andrews for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13658 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-28 12:38:05 +00:00
Jannis Leidel 44390aeb5d Fixed #13045 - Add USE_L10N to the project skeleton settings.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12786 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-15 12:16:21 +00:00
Russell Keith-Magee 46cc7021a8 Fixed #1480 -- Added the ability to use the system timezone. Thanks to Ramiro Morales for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12602 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-02-26 15:33:27 +00:00
Jannis Leidel 2e91309c55 Fixed #12675 - Add the admin app to the project template settings.py for consistency with the urls.py. Thanks, stephanhoyer.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-02-21 23:39:45 +00:00
Russell Keith-Magee ff60c5f9de Fixed #1142 -- Added multiple database support.
This monster of a patch is the result of Alex Gaynor's 2009 Google Summer of Code project.
Congratulations to Alex for a job well done.

Big thanks also go to:
 * Justin Bronn for keeping GIS in line with the changes,
 * Karen Tracey and Jani Tiainen for their help testing Oracle support
 * Brett Hoerner, Jon Loyens, and Craig Kimmerer for their feedback.
 * Malcolm Treddinick for his guidance during the GSoC submission process.
 * Simon Willison for driving the original design process
 * Cal Henderson for complaining about ponies he wanted.

... and everyone else too numerous to mention that helped to bring this feature into fruition.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11952 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-12-22 15:18:51 +00:00
Russell Keith-Magee 44b9076bbe Fixed #6262 -- Added a cached template loader, and modified existing template loaders and tag to be cacheable. Thanks to Mike Malone for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11862 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-12-14 12:08:23 +00:00
Luke Plant 25020ddb05 Fixed #4604 - Configurable message passing system, supporting anonymous users
This deprecates User.message_set in favour of a configurable messaging
system, with backends provided for cookie storage, session storage and
backward compatibility.

Many thanks to Tobias McNulty for the bulk of the work here, with
contributions from Chris Beaven (SmileyChris) and lots of code review from
Russell Keith-Magee, and input from many others.  Also credit to the authors
of various messaging systems for Django whose ideas may have been pinched
:-)



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11804 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-12-09 16:57:23 +00:00
Luke Plant 7230a995ce Moved contrib.csrf.* to core code.
There is stub code for backwards compatiblity with Django 1.1 imports.

The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00
Luke Plant 8e70cef9b6 Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django.  It includes:

 * removing the dependency on the session framework.
 * deprecating CsrfResponseMiddleware, and replacing with a core template tag.
 * turning on CSRF protection by default by adding CsrfViewMiddleware to
   the default value of MIDDLEWARE_CLASSES.
 * protecting all contrib apps (whatever is in settings.py)
   using a decorator.

For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.

Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.

Details of the rationale for these changes is found here:

http://code.djangoproject.com/wiki/CsrfProtection

As of this commit, the CSRF code is mainly in 'contrib'.  The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
Luke Plant 20f7e51493 Reverted 10094 and 10095 (in favour of solution that will hopefully land for beta 2)
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10128 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-23 23:02:46 +00:00
Luke Plant 2d28724730 Added CSRF middleware to default settings and updated docs.
Updated docs to reflect the change, and the fact that using the
two separate middleware is preferred to using the combined one.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@10094 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-19 23:14:20 +00:00
Jacob Kaplan-Moss 1f84630c87 Fixed #6470: made the admin use a URL resolver.
This *is* backwards compatible, but `admin.site.root()` has been deprecated. The new style is `('^admin/', include(admin.site.urls))`; users will need to update their code to take advantage of the new customizable admin URLs.

Thanks to Alex Gaynor.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9739 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-01-14 20:22:25 +00:00
Jacob Kaplan-Moss 24d7b49849 Fixed #8496: added a note about admindocs to the project template and the tutorial. Thanks, ericvw.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8859 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-02 16:52:42 +00:00