Commit Graph

125 Commits

Author SHA1 Message Date
Jannis Leidel 9b7be918ed Fixed #12325 -- Allows zero values for moderate_after and close_after fields of comment moderators. Thanks, Gabriel Hurley.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14556 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-13 18:42:56 +00:00
Luke Plant 45c7f427ce Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.

In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.

All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.

There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00
Russell Keith-Magee a904e55859 Fixed #11509 -- Modified usage of "Web" to match our style guide in various documentation, comments and code. Thanks to timo and Simon Meers for the work on the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14069 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-09 08:12:50 +00:00
Adrian Holovaty 157583f916 Fixed #14412 -- Pointed contrib.comments comments-url-redirect URLpattern at the actual view instead of the deprecated view. Thanks, subsume
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13995 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-06 22:56:52 +00:00
Luke Plant 763bcf8472 Fixed paste-o in [13855]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13857 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-14 21:40:23 +00:00
Luke Plant 34a4af50be Fixed #2283 (again) - comment form templates don't validate as XHTML
Thanks to hjoreteg/thejaswi_puthraya for the report and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@13855 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-14 14:22:35 +00:00
Karen Tracey e434573ef1 Changed the comments post view code to avoid raising an exception if handed invalid data for the object pk. Thanks to Leo for the test.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12800 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-16 22:37:45 +00:00
Russell Keith-Magee fbf00078e1 Fixed #12940 -- Modified some admin actions in contrib.comments to use ungettext in order to support Russian (and similar) pluralization rules. Thanks to void for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12770 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-12 15:32:06 +00:00
Karen Tracey 80545c3685 Fixed #12151: Ensured the comments code does not cause a server error when a request comes in for a comment specifying an invalid primary key value. Thanks thejaswi_puthraya.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12681 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-05 20:17:52 +00:00
Jacob Kaplan-Moss 8b2662c5de Fixed #10878, an error in the `Moderator` docstring.
Thanks, Travis Cline.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@12639 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-01 20:18:52 +00:00
Russell Keith-Magee c4c27d8a04 Fixed #6188, #6304, #6618, #6969, #8758, #8989, #10334, #11069, #11973 and #12403 -- Modified the syndication framework to use class-based views. Thanks to Ben Firshman for his work on this patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12338 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-28 13:46:18 +00:00
Russell Keith-Magee 3f68d255e2 Fixed #12600 -- Added some extra search paths for comment preview templates, allowing for naming parity with other templates in comments and admin. Thanks to hvdklauw for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12337 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-28 11:30:29 +00:00
Luke Plant 48edb177ed Fixed #12053 - form examples don't validate according to w3c
Thanks to skyl for the report.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@12086 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-04 21:55:52 +00:00
Jannis Leidel b9d698e9f2 Fixed #10285 - Added render_comment_list template tag to comments app. Thanks Kyle Fuller for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12082 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-04 02:29:12 +00:00
Jannis Leidel abcf997713 Fixed #11100 - Added get_comment_permalink template tag to comments app to be able to customize the anchor pattern of a comment from the template. Thanks to Idan Gazit for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12080 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-04 02:28:09 +00:00
Russell Keith-Magee ff60c5f9de Fixed #1142 -- Added multiple database support.
This monster of a patch is the result of Alex Gaynor's 2009 Google Summer of Code project.
Congratulations to Alex for a job well done.

Big thanks also go to:
 * Justin Bronn for keeping GIS in line with the changes,
 * Karen Tracey and Jani Tiainen for their help testing Oracle support
 * Brett Hoerner, Jon Loyens, and Craig Kimmerer for their feedback.
 * Malcolm Treddinick for his guidance during the GSoC submission process.
 * Simon Willison for driving the original design process
 * Cal Henderson for complaining about ponies he wanted.

... and everyone else too numerous to mention that helped to bring this feature into fruition.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11952 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-12-22 15:18:51 +00:00
Luke Plant 7230a995ce Moved contrib.csrf.* to core code.
There is stub code for backwards compatiblity with Django 1.1 imports.

The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00
Luke Plant 8e70cef9b6 Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django.  It includes:

 * removing the dependency on the session framework.
 * deprecating CsrfResponseMiddleware, and replacing with a core template tag.
 * turning on CSRF protection by default by adding CsrfViewMiddleware to
   the default value of MIDDLEWARE_CLASSES.
 * protecting all contrib apps (whatever is in settings.py)
   using a decorator.

For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.

Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.

Details of the rationale for these changes is found here:

http://code.djangoproject.com/wiki/CsrfProtection

As of this commit, the CSRF code is mainly in 'contrib'.  The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
Jacob Kaplan-Moss 8be1bb2268 Fixed #11625: added comment moderation via admin actions.
This is BACKWARDS INCOMPATIBLE if you were using the completely undocumented moderation view from 1.1. That view's been removed in favor of the admin actions.

Thanks, Thejaswi Puthraya.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11639 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-23 19:22:31 +00:00
Russell Keith-Magee 8aee95ca3e Fixed #11995 -- Modified the admin site definition for comments so that users are shown as a raw id list. Thanks to James Bennett for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11601 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-08 13:30:31 +00:00
Russell Keith-Magee f908eded21 Fixed #9268 -- Ensured that the next argument is passed on when previewing comments. Thanks to leanmeandonothingmachine for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11019 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-06-17 13:01:40 +00:00
Jacob Kaplan-Moss d246401552 Fixed #11113: fixed a couple of issues that slipped through the cracks when comment moderation was added to `django.contrib.comments`.
The is a potentially backwards-incompatible change for users already relying on the internals of comment moderaration. To wit:

   * The moderation system now listens to the new `comment_will_be_posted`/`comment_was_posted` signals instead of `pre/post_save`. This means that import request-based information is available to moderation as it should be.
   * Some experimental code from `django.contrib.comments.moderation` has been removed. It was never intended to be merged into Django, and was completely untested and likely buggy.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10784 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-14 15:20:50 +00:00
Jacob Kaplan-Moss 752cc49a62 Fixed #10169: don't accidentally try to redirect to "None" after posting a comment.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10429 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-07 20:22:36 +00:00
Jacob Kaplan-Moss f2bdc14a95 Fixed #10633, #10691: marked strings in the comments app for translation. Thanks, zgoda.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10427 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-07 19:57:01 +00:00
Jacob Kaplan-Moss 6319470f88 Fixed #10585: comment redirects built from the `next` parameter now work correctly when `next` already contains a query string.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10424 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-07 19:49:07 +00:00
Jacob Kaplan-Moss eef2c5f6de Fixed #9956: relax the URL pattern for primary keys in the comment redirect so that models with custom PKs aren't cut out of the loop.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10422 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-07 19:40:59 +00:00
Jacob Kaplan-Moss 92a38be9c6 Fixed #9792: corrected invalid HTML in the comment form and comment preview.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10420 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-07 19:34:21 +00:00
Jacob Kaplan-Moss f8adf99cdb Fixed #9268: pass the "next" param through in the comment preview/post view. Also updated the docs to make this a bit clearer.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10418 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-07 19:28:13 +00:00
Jacob Kaplan-Moss f0560dfdb2 Fixed #9282: added a generic comment moderation toolkit. See the documentation for details.
This began life as (part of) James Bennett's comment-utils app, and was adapted to be part of Django by Thejaswi Puthraya and Jannis Leidel. Thanks, all!

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10122 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-23 21:07:02 +00:00
Jacob Kaplan-Moss 231a7e0419 Fixed #9958: split the `CommentForm` into a set of smaller forms. This for better encapsulation, but also so that it's easier for subclasses to get at the pieces they might need. Thanks to Thejaswi Puthraya.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10110 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-21 13:45:31 +00:00
Jacob Kaplan-Moss e923b545a4 Fixed #9303 (again) by removing some code missing in [9891].
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10109 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-21 13:45:15 +00:00
Jacob Kaplan-Moss c485e236bd Fixed #8193: all dynamic imports in Django are now done correctly. I know this because Brett Cannon borrowed the time machine and brought Python 2.7's '`importlib` back for inclusion in Django. Thanks for the patch-from-the-future, Brett!
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10088 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-18 16:55:59 +00:00
Jacob Kaplan-Moss 1aac357d34 Fixed #9303: comment templatetags no longer assume the built-in comment model.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9891 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-02-23 22:46:32 +00:00
Jacob Kaplan-Moss 63d85a684a Fixed #8630: finished the custom comment app API that was left out of 1.0. This means it's now possible to override any of the models, forms, or views used by the comment app; see the new custom comment app docs for details and an example. Thanks to Thejaswi Puthraya for the original patch, and to carljm for docs and tests.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9890 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-02-23 22:16:26 +00:00
Jacob Kaplan-Moss 7d4a954836 Refactored CommentForm.get_comment_object into a handful of separete methods to make it easier for subclasses to provide custom models and data. Refs #8630.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9889 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-02-23 22:16:00 +00:00
Jacob Kaplan-Moss 4035ea3538 A few small fixes to django.contrib.comments (Comment.get_as_text for non-authenticated users; references to Comment.permalink; unused imports). Fixes #9143, #9429, and 9439. Thanks, Thejaswi Puthraya.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9730 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-01-12 17:27:41 +00:00
Malcolm Tredinnick cff78c60ac Fixed #8963 -- Use the require_POST decorator instead of doing things manually in one of the comment views. Thanks, zgoda.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9121 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-05 05:10:35 +00:00
Malcolm Tredinnick 645029accb Fixed #9100 -- Added a missing CSS class to a submit button.
Thanks, mordyovits and thejaswi_puthraya.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@9120 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-05 05:09:59 +00:00
Malcolm Tredinnick 8524089769 Add internationalisation support to the comment templates. Fixed #8868, #8905
Thanks to zgoda for a patch that did most of the internationalisation part.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@9119 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-05 05:09:21 +00:00
Malcolm Tredinnick 227a93b64f Fixed #8803 -- Allow authenticated users without first_name/last_name values set to post comments.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9118 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-05 05:07:32 +00:00
Malcolm Tredinnick 16d0a615c4 Fixed #8869 -- Fixed comments templates to be well-formed XHTML.
Based on a patch from zgoda.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@9117 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-05 05:06:26 +00:00
Malcolm Tredinnick 18f13aeeab Fixed #8879 -- Used ungettext instead of ngettext in the comments framework.
Patch from zgoda.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@9116 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-05 05:05:32 +00:00
Malcolm Tredinnick cf34d1f687 Fixed #9141 -- Removed two templates from django.contrib.comments that were not being used.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9115 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-05 05:04:56 +00:00
James Bennett 788e6c081b Use correct m2m join table name in LatestCommentsFeed
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9089 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-28 02:55:56 +00:00
James Bennett cc72e64e19 Fixed #9203: Restore correct ordering for LatestCommentsFeed
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9088 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-28 02:50:09 +00:00
Adrian Holovaty 8ec8e1a5e8 Fixed #8870 -- Changed django.contrib.comments templates to use lowercase 'post' for <form method> attributes, to be consistent with our other templates. Thanks, zgoda
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9050 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-16 06:15:26 +00:00
Wilson Miner b79cb53d76 Fixed #8917 -- Comments are now displayed in reverse order by submit_date in the admin. Thanks to arien for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9038 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-16 00:25:21 +00:00
Adrian Holovaty 5cc93500e8 Fixed #8959 -- Removed redundant calls to the 'escape' template filter in the django.contrib.comments templates. Thanks, zgoda
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9000 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-10 05:14:59 +00:00
Malcolm Tredinnick 96a417f91d Fixed two XHTML errors pointed out by Jarek Zgoda. Refs #8855.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8958 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-03 22:46:39 +00:00
Malcolm Tredinnick e1f1bda3c7 Fixed #8614 -- Typo fix.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8933 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-03 18:44:19 +00:00