p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Better description in the release notes of what's going on with the PasswordInput change. 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14541 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
James Bennett 2010-11-12 16:12:38 +00:00
parent b951ffbc6b
commit dc0accb5a3
2 changed files with 29 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
docs/releases/1.3-alpha-1.txt
View File

@ -169,29 +169,27 @@ Backwards-incompatible changes in 1.3 alpha 1
PasswordInput default rendering behavior PasswordInput default rendering behavior
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Prior to Django 1.3, a :class:`~django.forms.PasswordInput` would render The :class:`~django.forms.PasswordInput` form widget, intended for use
data values like any other form. If a form submission raised an error, with form fields which represent passwords, accepts a boolean keyword
the password that was submitted would be reflected to the client as form argument ``render_value`` indicating whether to send its data back to
data populating the form for resubmission. the browser when displaying a submitted form with errors. Prior to
Django 1.3, this argument defaulted to ``True``, meaning that the
submitted password would be sent back to the browser as part of the
form. Developers who wished to add a bit of additional security by
excluding that value from the redisplayed form could instantiate a
:class:`~django.forms.PasswordInput` passing ``render_value=False`` .
This had the potential to leak passwords, as any failed password Due to the sensitive nature of passwords, however, Django 1.3 takes
attempt would cause the password that was typed to be sent back to the this step automatically; the default value of ``render_value`` is now
client. ``False``, and developers who want the password value returned to the
browser on a submission with errors (the previous behavior) must now
In Django 1.3, the default behavior of explicitly indicate this. For ezmple::
:class:`~django.forms.PasswordInput` is to suppress the display of
password values. This change doesn't alter the way form data is
validated or handled. It only affects the user experience with
passwords on a form when they make an error submitting form data (such
as on unsuccessful logins, or when completing a registration form).
If you want restore the pre-Django 1.3 behavior, you need to pass in a
custom widget to your form that sets the ``render_value`` argument::
class LoginForm(forms.Form): class LoginForm(forms.Form):
username = forms.CharField(max_length=100) username = forms.CharField(max_length=100)
password = forms.CharField(widget=forms.PasswordInput(render_value=True)) password = forms.CharField(widget=forms.PasswordInput(render_value=True))
Clearable default widget for FileField Clearable default widget for FileField
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

31
docs/releases/1.3.txt
View File

@ -160,24 +160,21 @@ Backwards-incompatible changes in 1.3
PasswordInput default rendering behavior PasswordInput default rendering behavior
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Prior to Django 1.3, a :class:`~django.forms.PasswordInput` would render The :class:`~django.forms.PasswordInput` form widget, intended for use
data values like any other form. If a form submission raised an error, with form fields which represent passwords, accepts a boolean keyword
the password that was submitted would be reflected to the client as form argument ``render_value`` indicating whether to send its data back to
data populating the form for resubmission. the browser when displaying a submitted form with errors. Prior to
Django 1.3, this argument defaulted to ``True``, meaning that the
submitted password would be sent back to the browser as part of the
form. Developers who wished to add a bit of additional security by
excluding that value from the redisplayed form could instantiate a
:class:`~django.forms.PasswordInput` passing ``render_value=False`` .
This had the potential to leak passwords, as any failed password Due to the sensitive nature of passwords, however, Django 1.3 takes
attempt would cause the password that was typed to be sent back to the this step automatically; the default value of ``render_value`` is now
client. ``False``, and developers who want the password value returned to the
browser on a submission with errors (the previous behavior) must now
In Django 1.3, the default behavior of explicitly indicate this. For ezmple::
:class:`~django.forms.PasswordInput` is to suppress the display of
password values. This change doesn't alter the way form data is
validated or handled. It only affects the user experience with
passwords on a form when they make an error submitting form data (such
as on unsuccessful logins, or when completing a registration form).
If you want restore the pre-Django 1.3 behavior, you need to pass in a
custom widget to your form that sets the ``render_value`` argument::
class LoginForm(forms.Form): class LoginForm(forms.Form):
username = forms.CharField(max_length=100) username = forms.CharField(max_length=100)