Added explicit notes about the need to update any customised templates for contrib apps for CSRF changes

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11667 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2009-10-27 12:11:56 +00:00
parent f6ef3fd941
commit f00ad4168e
2 changed files with 11 additions and 2 deletions

View File

@ -172,9 +172,13 @@ you will have a working installation but without any CSRF protection for your
views (just as you had before). It is strongly recommended to install views (just as you had before). It is strongly recommended to install
``CsrfViewMiddleware`` and ``CsrfResponseMiddleware``, as described above. ``CsrfViewMiddleware`` and ``CsrfResponseMiddleware``, as described above.
(Note that contrib apps, such as the admin, have been updated to use the Note that contrib apps, such as the admin, have been updated to use the
``csrf_protect`` decorator, so that they are secured even if you do not add the ``csrf_protect`` decorator, so that they are secured even if you do not add the
``CsrfViewMiddleware`` to your settings). ``CsrfViewMiddleware`` to your settings. However, if you have suuplied
customised templates to any of the view functions of contrib apps (whether
explicitly via a keyword argument, or by overriding built-in templates), **you
MUST update them** to include the ``csrf_token`` template tag as described
above, or they will stop working.
Assuming you have followed the above, all views in your Django site will now be Assuming you have followed the above, all views in your Django site will now be
protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements

View File

@ -13,6 +13,11 @@ changes that developers must be aware of:
will be removed completely in Django 1.4, in favour of a template tag that will be removed completely in Django 1.4, in favour of a template tag that
should be inserted into forms. should be inserted into forms.
* All contrib apps use a ``csrf_protect`` decorator to protect the view. This
requires the use of the csrf_token template tag in the template, so if you
have used custom templates for contrib views, you MUST READ THE UPGRADE
INSTRUCTIONS to fix those templates.
* ``CsrfViewMiddleware`` is included in :setting:`MIDDLEWARE_CLASSES` by * ``CsrfViewMiddleware`` is included in :setting:`MIDDLEWARE_CLASSES` by
default. This turns on CSRF protection by default, so that views that accept default. This turns on CSRF protection by default, so that views that accept
POST requests need to be written to work with the middleware. Instructions POST requests need to be written to work with the middleware. Instructions