Fixed #12198 - CSRF changes not clearly noted in docs.

The docs no longer unhelpfully point to BackwardsIncompatibleChanges, and instead a section has been added to help those upgrading and those following trunk. Tentative 1.2 release notes added. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11738 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-31 09:41:08 +00:00 · 2009-11-14 19:13:33 +00:00
parent 0aeb1e135d
commit 04f869a80c
4 changed files with 42 additions and 13 deletions
--- a/docs/releases/1.2.txt
+++ b/docs/releases/1.2.txt
@@ -0,0 +1,70 @@
+.. _releases-1.2:
+
+============================================
+Django 1.2 release notes — UNDER DEVELOPMENT
+============================================
+
+This page documents release notes for the as-yet-unreleased Django 1.2.  As such
+it is tentative and subject to change.  It provides up-to-date information for
+those who are following trunk.
+
+.. _backwards-incompatible-changes-1.2:
+
+Backwards-incompatible changes in 1.2
+=====================================
+
+CSRF Protection
+---------------
+
+There have been large changes to the way that CSRF protection works, detailed in
+:ref:`the CSRF documentaton <ref-contrib-csrf>`.  The following are the major
+changes that developers must be aware of:
+
+ * ``CsrfResponseMiddleware`` and ``CsrfMiddleware`` have been deprecated, and
+   will be removed completely in Django 1.4, in favour of a template tag that
+   should be inserted into forms.
+
+ * All contrib apps use a ``csrf_protect`` decorator to protect the view.  This
+   requires the use of the csrf_token template tag in the template, so if you
+   have used custom templates for contrib views, you MUST READ THE UPGRADE
+   INSTRUCTIONS to fix those templates.
+
+ * ``CsrfViewMiddleware`` is included in :setting:`MIDDLEWARE_CLASSES` by
+   default. This turns on CSRF protection by default, so that views that accept
+   POST requests need to be written to work with the middleware.  Instructions
+   on how to do this are found in the CSRF docs.
+
+ * All of the CSRF has moved from contrib to core (with backwards compatible
+   imports in the old locations, which are deprecated).
+
+LazyObject
+----------
+
+``LazyObject`` is an undocumented utility class used for lazily wrapping other
+objects of unknown type.  In Django 1.1 and earlier, it handled introspection in
+a non-standard way, depending on wrapped objects implementing a public method
+``get_all_members()``. Since this could easily lead to name clashes, it has been
+changed to use the standard method, involving ``__members__`` and ``__dir__()``.
+If you used ``LazyObject`` in your own code, and implemented the
+``get_all_members()`` method for wrapped objects, you need to make the following
+changes:
+
+ * If your class does not have special requirements for introspection (i.e. you
+   have not implemented ``__getattr__()`` or other methods that allow for
+   attributes not discoverable by normal mechanisms), you can simply remove the
+   ``get_all_members()`` method.  The default implementation on ``LazyObject``
+   will do the right thing.
+
+ * If you have more complex requirements for introspection, first rename the
+   ``get_all_members()`` method to ``__dir__()``.  This is the standard method,
+   from Python 2.6 onwards, for supporting introspection.  If you are require
+   support for Python < 2.6, add the following code to the class::
+
+       __members__ = property(lambda self: self.__dir__())
+
+.. _deprecated-features-1.2:
+
+Features deprecated in 1.2
+==========================
+
+None.