Commit Graph

132 Commits

Author SHA1 Message Date
Luke Plant 8e70cef9b6 Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django.  It includes:

 * removing the dependency on the session framework.
 * deprecating CsrfResponseMiddleware, and replacing with a core template tag.
 * turning on CSRF protection by default by adding CsrfViewMiddleware to
   the default value of MIDDLEWARE_CLASSES.
 * protecting all contrib apps (whatever is in settings.py)
   using a decorator.

For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.

Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.

Details of the rationale for these changes is found here:

http://code.djangoproject.com/wiki/CsrfProtection

As of this commit, the CSRF code is mainly in 'contrib'.  The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
Luke Plant 18a67e1069 Fixed #11591: invalid HTML in tabular.html.
Thanks rlaager(at)wiktel.com



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11489 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-10 16:12:08 +00:00
Karen Tracey eaf1f7d6e3 Fixed #11534: Improved wording for admin delete confirmation. Thanks hanksims and others who reported this.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11447 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-08-13 17:16:29 +00:00
Russell Keith-Magee 8d48eaa064 Fixed #10061 -- Added namespacing for named URLs - most importantly, for the admin site, where the absence of this facility was causing problems. Thanks to the many people who contributed to and helped review this patch.
This change is backwards incompatible for anyone that is using the named URLs
introduced in [9739]. Any usage of the old admin_XXX names need to be modified
to use the new namespaced format; in many cases this will be as simple as a
search & replace for "admin_" -> "admin:". See the docs for more details on
the new URL names, and the namespace resolution strategy.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11250 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-07-16 16:16:13 +00:00
Russell Keith-Magee 708bc80ba6 Fixed #11271 -- Added a translation marker for the list_editable save button. Thanks to dc for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10931 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-06-06 13:43:44 +00:00
Jacob Kaplan-Moss f7d01c49e9 Fixed #10651: fixed a javascript error on the admin user add form. Thanks, seanl.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10714 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-08 12:57:57 +00:00
Russell Keith-Magee e2d66e7d03 Fixed #10959 -- Changed the admin search button text to make it clearer in the UI, and to disambiguate during translation. Thanks to Ramiro Morales for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10678 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-05 22:26:01 +00:00
Russell Keith-Magee 9d28568cb4 Fixed #10275 -- Corrected the edge case of rendering a LogEntry with a contenttype of None. Thanks to Jarek Zgoda for the report, and Peter Bengtsson for the patch
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10675 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-05 11:52:03 +00:00
Russell Keith-Magee 80a54dd23b Fixed #9362 -- Prevented inline forms from overwriting the content_type_id attribute on objets being inlined. Thanks to carljm for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10667 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-03 13:38:36 +00:00
Russell Keith-Magee 2c24bba934 Fixed #8903 -- Corrected rendering of admin inline formsets (tabular and stacked) when the inline model has a custom non-autofield primary key. Thanks to dgouldin for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10666 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-03 13:37:20 +00:00
Malcolm Tredinnick 86b6db591c Fixed #9420 -- Fixed admin templates CSS.
Removed some unconditional, invalid, IE-specific notations that were
protecting IE 5 users. IE 5 is sufficiently old, we don't really need to
do that and helping that small userbase at the expense of everybody else
was a slight priority inversion.

Patch from G2P and reviwed by Wilson Miner (who made the original
changes).

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10598 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-19 03:06:29 +00:00
Jacob Kaplan-Moss bb15cee58a Made a bunch of improvements to admin actions. Be warned: this includes one minor but BACKWARDS-INCOMPATIBLE change.
These changes are:

    * BACKWARDS-INCOMPATIBLE CHANGE: action functions and action methods now share the same signature: `(modeladmin, request, queryset)`. Actions defined as methods stay the same, but if you've defined an action as a standalone function you'll now need to add that first `modeladmin` argument.
    * The delete selected action is now a standalone function registered site-wide; this makes disabling it easy.
    * Fixed #10596: there are now official, documented `AdminSite` APIs for dealing with actions, including a method to disable global actions. You can still re-enable globally-disabled actions on a case-by-case basis.
    * Fixed #10595: you can now disable actions for a particular `ModelAdmin` by setting `actions` to `None`.
    * Fixed #10734: actions are now sorted (by name).
    * Fixed #10618: the action is now taken from the form whose "submit" button you clicked, not arbitrarily the last form on the page.
    * All of the above is documented and tested.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10408 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-06 20:23:33 +00:00
Jacob Kaplan-Moss 4e035a03b6 Fixed #8749: add better breadcrumbs in the change password template. Thanks, SmileyChris.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10234 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-30 23:00:55 +00:00
Jacob Kaplan-Moss 44f3080226 Fixed #10505: added support for bulk admin actions, including a globally-available "delete selected" action. See the documentation for details.
This work started life as Brian Beck's "django-batchadmin." It was rewritten for inclusion in Django by Alex Gaynor, Jannis Leidel (jezdez), and Martin Mahner (bartTC). Thanks, guys!

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10121 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-23 20:22:56 +00:00
Jacob Kaplan-Moss 7bc0878922 Fixed #8939: added a `list_editable` option to `ModelAdmin`; fields declared `list_editable` may be edited, in bulk, on the changelist page. Thanks, Alex Gaynor.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10077 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-17 20:51:47 +00:00
Russell Keith-Magee 8569157664 Fixed #9276 -- Corrected the way the CSS class is rolled out in a stacked edit-inline template. Thanks to creecode@gmail.com for the report and fix.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9877 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-02-22 08:05:40 +00:00
Luke Plant a754165a91 Fixed #9637: Use 'block.super' in admin 'extrastyle' blocks to preserve changes in base_site.html
The current admin templates do not need this.  However, a common way to customize admin
appearance is to provide your own 'base_site.html' template, and add stylesheets using
the extrastyle block.  Without this patch, these customizations are lost.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@9690 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-27 00:01:11 +00:00
Gary Wilson Jr fa7aa7255c Fixed #9732 -- Added missing close paragraph tag to password reset confirmation template, thanks casseen.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9599 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-08 05:41:28 +00:00
Wilson Miner 21e86f2af2 Updated stylesheet link on the change password form.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-11-16 00:09:39 +00:00
Wilson Miner 902df97f36 Removed the hidden import rules in the contrib.admin stylesheets. Each individual stylesheet is now linked to explicitly from the template where it's used (in the extrastyle block), with the exception of widgets.css, which is imported by forms.css, but still available separately for reuse. Also moved the override stylesheets (IE and RTL) below the extrastyle block and all styles within the conditional comment which blocks CSS from IE5 and lower.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9463 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-11-16 00:08:48 +00:00
Karen Tracey c367e2869e Fixed #9514 -- Made admin change_form template correctly recognize/report when a form has only a single error.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9371 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-11-09 18:51:28 +00:00
Wilson Miner 6b82c386f6 Applied contrib.admin IE CSS patches to IE6 and 7, and added simple hacks to filter some rules to both and some only to IE6.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9303 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-31 23:44:24 +00:00
Wilson Miner 50535505a9 Added IE conditional comments to contrib.admin base template to block CSS from IE5 and lower and serve a patch to IE6 with IE conditional comments. Removed dependency on CSS hacks and empty null.css file.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9300 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-31 23:01:38 +00:00
Brian Rosner 0ea15f5650 Fixed #8882 -- When a foreign key is among the unique_together fields in an inline formset properly handle it.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9297 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-31 22:07:05 +00:00
Karen Tracey 03070a9955 Fixed #7179 -- Changed breadcrumbs on the add page so that a link to the change view is not included when the user doesn't have permission for that view. Also added tests to ensure the link is not there when it shouldn't be, and there when it should be. Thanks for the report & patch alen__ribic.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9276 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-24 19:14:24 +00:00
Brian Rosner 5e5af8a8aa Display non_field_errors of inline forms in the admin. This was a presentation bug.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9243 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-21 20:25:45 +00:00
Karen Tracey 0ededc611f Fixed 8984: Only include a "Documentation" link on change password and change password done pages if admin docs have been configured.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9079 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-21 16:15:09 +00:00
Adrian Holovaty 6bdb7b9529 Fixed #8172 -- Improved a whole bunch of contrib templates (admin, databrowse, admindocs, etc.) to remove unnecessary 'escape' filters, given autoescaping. Also removed unnecessary {% if %} tags and shortened some {% if %}/{% else %} tags to use {% firstof %}. Thanks for the patch, benspaulding
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8984 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-08 05:19:28 +00:00
Malcolm Tredinnick 42393ff604 Fixed #8812 -- Fixed up the positioning of the "delete" link in the admin
interface for right-to-left languages (Hebrew, Arabic, etc). Patch from Jannis
Leidel.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8903 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-03 04:22:39 +00:00
Jacob Kaplan-Moss 0e5faf225c Security fix. Announcement forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8877 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-02 21:10:00 +00:00
Jacob Kaplan-Moss 7a9b55ddc4 Fixed #2612: fixed display of admin `help_text` with multiple fields on the same line. Thanks to Nathan Borror for the original patch, and jezdez for a little cleanup.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8871 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-02 19:25:27 +00:00
Brian Rosner eefec151d1 Fixed #2612 -- Fixed admin formatting when help_text is used with multiple fields on the same line.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8824 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-01 22:59:43 +00:00
Brian Rosner 30c7ce90c5 Fixed #8631 -- Corrected a display issue with the popup submit_row where the Save button would overflow. Thanks btaylordesign for report and initial patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8762 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-31 17:13:29 +00:00
Jacob Kaplan-Moss 0871ff2c9c Fixed #7810: added named URLs for admin docs, and use them in the admin base template. Thanks, MattBowen.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8717 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-29 19:28:53 +00:00
Brian Rosner 5dd68fa74a Marked a couple of unmarked strings in edit_inline templates and corrected a marked string.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8587 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-26 18:15:19 +00:00
Brian Rosner 5a72589d7a Fixed #7984 -- 'View on site' links now work in inlines. Thanks philwo for the report and initial patch by julianb.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8586 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-26 18:07:36 +00:00
Brian Rosner 853f4d29b8 Fixed #8547 -- Corrected the breadcrumb display in the object_history.html template. Thanks sorl for catching this.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8555 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-25 19:56:14 +00:00
Russell Keith-Magee 78c2c95ed3 Fixed #8129: Modified the password reset email template to use a URL lookup, so that the email doesn't require customization based on the way that the reset view is deployed. Thanks to davenaff for the report and fix.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8517 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-24 08:51:33 +00:00
Malcolm Tredinnick b3688e8194 Fixed #7903 -- Allow admin's prepopulated_from to work with TextFields. Patch
from mk and Alex Gaynor.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8505 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-23 22:10:45 +00:00
Malcolm Tredinnick c83a96d298 Tweaked the Admin add/change page so that "save" is still the highlighted
too look like the default button and it actually operates as the defaut
(previously "save and add another" was the default action, which confused
people if you hit the save button and it looked like your work was eaten by a
grue).

Fixed #7272. Patch from Jannis Leidel.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8501 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-23 19:07:49 +00:00
Malcolm Tredinnick cc95b44547 Updated password change template (in admin templates) to use current form
variables (rather than oldforms stuff). Patch from Mike Richardson. Refs #8402.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8496 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-23 18:20:19 +00:00
Russell Keith-Magee 358ba07166 Fixed #7946: Modified object history template to use a common date format. Thanks to Marc Garcia for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8485 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-23 14:23:50 +00:00
Brian Rosner 77c78201b8 Fixed #1390 -- Added an app index in the admin interface. Thanks juliae and ext for their work on patches.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8474 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-23 04:00:15 +00:00
Brian Rosner d7467a0bfc Fixed #957 -- prepopulated_fields now works correctly on inlines.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8385 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 17:38:39 +00:00
Gary Wilson Jr dd842ad34d Refs #7742 -- Changed the `django.contrib.admin.views.template.template_validator` view to use newforms instead of oldforms.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8294 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-11 04:31:55 +00:00
Jacob Kaplan-Moss 88baf06c3d Fixed #7811: moved admindocs templates into admindocs/templates. This is slightly backwards-incompatible in that if you're using the admindocs you'll need to add 'django.contrib.admindocs' to INSTALLED_APPS.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8264 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-09 15:53:50 +00:00
Brian Rosner 5d199ba901 Fixed #8163 -- Restore oldforms admin styling on input fields. Also cleaned up some styles for both tabular and stacked inlines. Thanks Nathan Borror for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8240 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-08 19:54:34 +00:00
Luke Plant 7b4b1309d9 Added a 'name' attribute to the 'Save' button on admin change form
This makes it much easier/possible for testing tools e.g. twill to find
the 'Save' submit button.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@8226 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-07 21:18:43 +00:00
Luke Plant 079e5bf1ec Added a login link to the password reset completion screen.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8171 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-01 16:13:12 +00:00
Luke Plant fcd837cd0f Fixed #7723 - implemented a secure password reset form that uses a token and prompts user for new password.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8162 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-31 20:47:53 +00:00