test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Allow CsrfResponseMiddleware to be used if templates cannot be updated. 

For the case where someone is using contrib views with custom templates that
they cannot update to use the template tag, it should be possible to use
CsrfResponseMiddleware.  This requires that 'csrf_response_exempt' is not
used for the admin views.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11683 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2009-10-30 00:17:29 +00:00
parent 96658ef2d2
commit 5a0aab41ee
2 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
django/contrib/admin/sites.py
View File

@ -3,7 +3,7 @@ from django import http, template
from django.contrib.admin import ModelAdmin from django.contrib.admin import ModelAdmin
from django.contrib.admin import actions from django.contrib.admin import actions
from django.contrib.auth import authenticate, login from django.contrib.auth import authenticate, login
from django.views.decorators.csrf import csrf_protect, csrf_response_exempt from django.views.decorators.csrf import csrf_protect
from django.db.models.base import ModelBase from django.db.models.base import ModelBase
from django.core.exceptions import ImproperlyConfigured from django.core.exceptions import ImproperlyConfigured
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
@ -189,7 +189,7 @@ class AdminSite(object):
inner = never_cache(inner) inner = never_cache(inner)
# We add csrf_protect here so this function can be used as a utility # We add csrf_protect here so this function can be used as a utility
# function for any view, without having to repeat 'csrf_protect'. # function for any view, without having to repeat 'csrf_protect'.
inner = csrf_response_exempt(csrf_protect(inner)) inner = csrf_protect(inner)
return update_wrapper(inner, view) return update_wrapper(inner, view)
def get_urls(self): def get_urls(self):

4
docs/ref/contrib/csrf.txt
View File

@ -178,7 +178,9 @@ Note that contrib apps, such as the admin, have been updated to use the
customised templates to any of the view functions of contrib apps (whether customised templates to any of the view functions of contrib apps (whether
explicitly via a keyword argument, or by overriding built-in templates), **you explicitly via a keyword argument, or by overriding built-in templates), **you
MUST update them** to include the ``csrf_token`` template tag as described MUST update them** to include the ``csrf_token`` template tag as described
above, or they will stop working. above, or they will stop working. (If you cannot update these templates for
some reason, you will be forced to use ``CsrfResponseMiddleware`` for these
views to continue working).
Assuming you have followed the above, all views in your Django site will now be Assuming you have followed the above, all views in your Django site will now be
protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements