Commit Graph

146 Commits

Author SHA1 Message Date
Luke Plant 8e70cef9b6 Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django.  It includes:

 * removing the dependency on the session framework.
 * deprecating CsrfResponseMiddleware, and replacing with a core template tag.
 * turning on CSRF protection by default by adding CsrfViewMiddleware to
   the default value of MIDDLEWARE_CLASSES.
 * protecting all contrib apps (whatever is in settings.py)
   using a decorator.

For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.

Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.

Details of the rationale for these changes is found here:

http://code.djangoproject.com/wiki/CsrfProtection

As of this commit, the CSRF code is mainly in 'contrib'.  The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
Russell Keith-Magee 0757607217 Fixed #11820 -- Corrected the spelling of Grace Hopper's name in a test. Thanks to shields@msrl.com for the report, and apologies to Admiral Hopper for the error.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11551 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-13 04:32:55 +00:00
Luke Plant 84ef9dabfa Fixed #11061: Malformed POST request causes TypeError in AdminSite.login().
Thanks vvd


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11493 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-10 16:50:57 +00:00
Russell Keith-Magee 8d48eaa064 Fixed #10061 -- Added namespacing for named URLs - most importantly, for the admin site, where the absence of this facility was causing problems. Thanks to the many people who contributed to and helped review this patch.
This change is backwards incompatible for anyone that is using the named URLs
introduced in [9739]. Any usage of the old admin_XXX names need to be modified
to use the new namespaced format; in many cases this will be as simple as a
search & replace for "admin_" -> "admin:". See the docs for more details on
the new URL names, and the namespace resolution strategy.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11250 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-07-16 16:16:13 +00:00
Russell Keith-Magee e992e57d3e Fixed #11416 -- Restored use of the never_cache decorator on admin views. Thanks to Ramiro Morales and Michael Newmann for their work on the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11229 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-07-13 13:46:31 +00:00
Russell Keith-Magee 7ecb8b08b3 Fixed #10922 -- Corrected handling of POST data to ensure that the right objects are updated on save when the ordering field is editable. Thanks to Alex Gaynor, Karen Tracy, and Will Hardy for their contributions to this patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11160 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-07-03 03:05:17 +00:00
Matt Boersma 56f3ed7f54 Fixed import statement in admin_views test to work with Python 2.3.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10789 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-15 15:01:40 +00:00
Jacob Kaplan-Moss e508bfd27f Fixed #10992: fixed a bug saving inlines with custom primary key fields. Thanks, Zain.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10777 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-14 02:23:53 +00:00
Russell Keith-Magee 2c2871b7c3 Fixed #11042 -- Corrected admin inlines for inherited models. Thanks to jsmullyan for the report, and mir for helpful triage work. Patch includes regression test for #8093, and a commented out test for #10992.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10725 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-09 11:40:13 +00:00
Jacob Kaplan-Moss 23fa913676 Fixed #10448: correcting errors on "save as new" now correctly create a new object instead of modifying the old one. Thanks, bastih.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10713 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-08 12:53:14 +00:00
Russell Keith-Magee ae7d9bfad2 Fixed #10899 -- Ensured that log messages for deletions in the admin contain useful descriptions. Thanks to Jeremy Dunck for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10686 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-07 13:10:59 +00:00
Russell Keith-Magee b5f0aff922 Fixed #10516 -- Corrected admin search when the search_fields definition contains multiple fields on the same base model. Thanks to Zain Memon for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10684 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-07 12:52:43 +00:00
Russell Keith-Magee eb81d5acb3 Fixed #10893 -- Corrected a problem with using list_editable in the admin when the model has a manual primary key. Thanks to Alex Gaynor for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10681 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-07 11:56:10 +00:00
Russell Keith-Magee 9d28568cb4 Fixed #10275 -- Corrected the edge case of rendering a LogEntry with a contenttype of None. Thanks to Jarek Zgoda for the report, and Peter Bengtsson for the patch
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10675 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-05 11:52:03 +00:00
Jacob Kaplan-Moss ccc8e104ee Fixed #10799: fixed the use of list_editable with model inheritance and custom one-to-one parent links. Thanks, Alex Gaynor.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10590 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-18 21:03:29 +00:00
Jacob Kaplan-Moss 1e4ad6f118 Fixed #10002: inline file uploads now correctly display prior data. Thanks, dgouldin.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10588 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-18 20:29:55 +00:00
Malcolm Tredinnick 3bd384aa62 Fixed #10645 -- Added some robustness around some admin and modelform params.
Fieldset dictionary names, search fields and unique_together attribute
names all have to be convertible to strings (that has always been true).
If somebody passes in a unicode object, Python barfs because Django uses
those values as keyword argument names and function calls require
parameter names to be str objects. We now convert thing to strs
automatically.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10510 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-11 07:41:59 +00:00
Jacob Kaplan-Moss bb15cee58a Made a bunch of improvements to admin actions. Be warned: this includes one minor but BACKWARDS-INCOMPATIBLE change.
These changes are:

    * BACKWARDS-INCOMPATIBLE CHANGE: action functions and action methods now share the same signature: `(modeladmin, request, queryset)`. Actions defined as methods stay the same, but if you've defined an action as a standalone function you'll now need to add that first `modeladmin` argument.
    * The delete selected action is now a standalone function registered site-wide; this makes disabling it easy.
    * Fixed #10596: there are now official, documented `AdminSite` APIs for dealing with actions, including a method to disable global actions. You can still re-enable globally-disabled actions on a case-by-case basis.
    * Fixed #10595: you can now disable actions for a particular `ModelAdmin` by setting `actions` to `None`.
    * Fixed #10734: actions are now sorted (by name).
    * Fixed #10618: the action is now taken from the form whose "submit" button you clicked, not arbitrarily the last form on the page.
    * All of the above is documented and tested.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10408 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-06 20:23:33 +00:00
Jacob Kaplan-Moss 8f7aa84def Fixed #9651: fixed save_as with inline forms. Thanks, kmike and Mnewman.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10353 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-02 00:01:15 +00:00
Jacob Kaplan-Moss ee17cabba0 Fixed #9969: choices with options groups (added in [7977]) now work correctly in the admin with list_display and list_filter. Thanks, ramiro.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10318 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-01 14:14:20 +00:00
Jacob Kaplan-Moss f83af07ce3 Fixed #7510: the ModelAdmin now uses `self.queryset` instead of the default manager. Thanks, Alex Gaynor.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10314 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-01 03:11:58 +00:00
Joseph Kocherhans 62353e8fe7 Fixed #9863. A ForeignKey with editable=False to the parent in an inline no longer raises an exception. Thanks to keithb for the test case and Alex Gaynor for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10239 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-31 00:03:34 +00:00
Brian Rosner 69977d2045 Fixed #10622 -- Resolved an issue with model inheritence and list_editable. Thanks oyvind and Alex Gaynor.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10178 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-29 18:52:38 +00:00
Jacob Kaplan-Moss 44f3080226 Fixed #10505: added support for bulk admin actions, including a globally-available "delete selected" action. See the documentation for details.
This work started life as Brian Beck's "django-batchadmin." It was rewritten for inclusion in Django by Alex Gaynor, Jannis Leidel (jezdez), and Martin Mahner (bartTC). Thanks, guys!

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10121 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-23 20:22:56 +00:00
Jacob Kaplan-Moss 7bc0878922 Fixed #8939: added a `list_editable` option to `ModelAdmin`; fields declared `list_editable` may be edited, in bulk, on the changelist page. Thanks, Alex Gaynor.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10077 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-17 20:51:47 +00:00
Russell Keith-Magee 3c8568a7dc Fixed #10271, #10281 -- Fixed the handling multiple inline models that share a common base class and have the link to the inline parent on the base class. Includes modifications that allow the equivalent handling for GenericFields. Thanks to Idan Gazit, Antti Kaihola (akaihola), and Alex Gaynor for their work on this patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10017 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-10 11:19:26 +00:00
Jacob Kaplan-Moss 1f84630c87 Fixed #6470: made the admin use a URL resolver.
This *is* backwards compatible, but `admin.site.root()` has been deprecated. The new style is `('^admin/', include(admin.site.urls))`; users will need to update their code to take advantage of the new customizable admin URLs.

Thanks to Alex Gaynor.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9739 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-01-14 20:22:25 +00:00
Karen Tracey 986e162c5d Follow-up to r9656 -- beef up the added test to exercise all (one can hope) paths through the troublesome get_deleted_objects function and fix the resulting errors.
Refs #9859.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@9657 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-16 17:42:18 +00:00
Karen Tracey 10894da8a8 Fixed #9859 -- Added another missing force_unicode needed in admin when running on Python 2.3. Many thanks for report & patch to nfg.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9656 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-16 15:04:47 +00:00
Karen Tracey 6ed91234e3 Fixed #8910 -- Added force_unicode during admin log message creation to avoid triggering a Python 2.3 bug. Thanks for the report joshg and patch nfg.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9383 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-11-10 17:13:41 +00:00
Karen Tracey c367e2869e Fixed #9514 -- Made admin change_form template correctly recognize/report when a form has only a single error.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9371 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-11-09 18:51:28 +00:00
Karen Tracey 03070a9955 Fixed #7179 -- Changed breadcrumbs on the add page so that a link to the change view is not included when the user doesn't have permission for that view. Also added tests to ensure the link is not there when it shouldn't be, and there when it should be. Thanks for the report & patch alen__ribic.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9276 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-24 19:14:24 +00:00
Karen Tracey 30241385d5 Fixed #9252 -- Moved the try/except protecting against incorrect lookup params to where the error is now raised, and added a test for this case.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9245 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-22 23:09:35 +00:00
Karen Tracey ae43d11838 Fixed #3096 -- Make admin list_filters respect limit_choices_to.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9241 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-21 19:03:21 +00:00
Karen Tracey 05d695908c Fixed #9053 -- Allowed for sorting of callable and ModelAdmin methods specified in list_display (added in r8352). Previously attempting to sort on the former would raise an exception and the latter simply didn't sort. Also added tests for this function. Thanks rgl and jenan.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9211 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-08 14:47:01 +00:00
Jacob Kaplan-Moss 0e5faf225c Security fix. Announcement forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8877 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-02 21:10:00 +00:00
Brian Rosner cd0b65bcf7 Fixed #7982 -- Corrected ModelAdmin url dispatching to ensure it matching exactly what it needs and doesn't stomp on primary key space. 'add' is a lost cause for now. This originated from #6470. Thanks jdetaeye for the original patch and basith for providing test cases.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8704 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-29 16:46:46 +00:00
Jacob Kaplan-Moss 21928f2ba0 Fixed #7738: support initial values via `GET` for `SelectMutliple` in the admin.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8699 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-29 16:09:29 +00:00
Russell Keith-Magee 27b0077a48 Fixed #8509: Cleaned up handling of test cookies in admin logins. Thanks to rajeshd for the report of a problem case.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8509 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-24 06:34:18 +00:00
Russell Keith-Magee a9ee1d4e28 Fixed #7776: Ensured that the test cookie is always deleted once a login has succeeded. Thanks for the report and fix, Mnewman.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8484 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-23 14:12:58 +00:00
Malcolm Tredinnick 4881a4ffb0 Use failIf() instead of assertFalse() so that tests work with python 2.3.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8379 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 14:58:47 +00:00
Brian Rosner 65be56816f Fixed #5780 -- Adjusted the ModelAdmin API to allow the created/updated objects
to be passed to the formsets prior to validation.

This is a backward incompatible change for anyone overridding save_add or
save_change. They have been removed in favor of more granular methods
introduced in [8266] and the new response_add and response_change nethods.
save_model has been renamed to save_form due to its slightly changed behavior.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8273 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-09 20:52:40 +00:00
Jacob Kaplan-Moss 4747347385 Fixed #5801: admin requests with GET args now get properly bounced through login with those args intact. Thanks for the patch, Rozza.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8271 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-09 17:35:19 +00:00
Malcolm Tredinnick ab8965c428 Added a few force_unicode() calls around objects in the admin. Required for
Python 2.3 compatibility. Patch from nfg.

Refs #8151, #8153.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8236 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-08 18:07:33 +00:00
Malcolm Tredinnick c5a76a3669 Fixed a bunch of Python 2.3 test failures.
All remaining buildbot failures on 2.3 are not due to the test suite, as far as
I can work out.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8055 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-22 19:48:36 +00:00
Brian Rosner a19ed8aea3 Merged the newforms-admin branch into trunk.
This is a backward incompatible change. The admin contrib app has been
refactored. The newforms module has several improvements including FormSets
and Media definitions.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@7967 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-18 23:54:34 +00:00