[per-object-permissions] Update to trunk

git-svn-id: http://code.djangoproject.com/svn/django/branches/per-object-permissions@3630 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-07-04 17:59:13 +00:00 · 2006-08-20 22:49:48 +00:00 · 2006-08-20 22:49:48 +00:00 · 49c1c2fdd3
commit 49c1c2fdd3
parent 455842e07e
15 changed files with 142 additions and 22 deletions
--- a/1
+++ b/1
@ -68,6 +68,7 @@ answer newbie questions, and generally made Django that much better:
    deric@monowerks.com
    dne@mayonnaise.net
    Jeremy Dunck <http://dunck.us/>
+    Andy Dustman <farcepest@gmail.com>
    Clint Ecker
    gandalf@owca.info
    Baishampayan Ghose
--- a/django/bin/compile-messages.py
+++ b/django/bin/compile-messages.py
@ -11,7 +11,7 @@ def compile_messages():
    elif os.path.isdir('locale'):
        basedir = os.path.abspath('locale')
    else:
-        print "this script should be run from the django svn tree or your project or app tree"
+        print "This script should be run from the Django SVN tree or your project or app tree."
        sys.exit(1)

    for dirpath, dirnames, filenames in os.walk(basedir):
@ -19,7 +19,14 @@ def compile_messages():
            if f.endswith('.po'):
                sys.stderr.write('processing file %s in %s\n' % (f, dirpath))
                pf = os.path.splitext(os.path.join(dirpath, f))[0]
-                cmd = 'msgfmt -o "%s.mo" "%s.po"' % (pf, pf)
+                # Store the names of the .mo and .po files in an environment
+                # variable, rather than doing a string replacement into the
+                # command, so that we can take advantage of shell quoting, to
+                # quote any malicious characters/escaping.
+                # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html
+                os.environ['djangocompilemo'] = pf + '.mo'
+                os.environ['djangocompilepo'] = pf + '.po'
+                cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"'
                os.system(cmd)

 if __name__ == "__main__":
--- a/django/conf/project_template/settings.py
+++ b/django/conf/project_template/settings.py
@ -27,6 +27,10 @@ LANGUAGE_CODE = 'en-us'

 SITE_ID = 1

+# If you set this to False, Django will make some optimizations so as not
+# to load the internationalization machinery.
+USE_I18N = True
+
 # Absolute path to the directory that holds media.
 # Example: "/home/media/media.lawrence.com/"
 MEDIA_ROOT = ''
--- a/django/contrib/admin/templates/admin/base.html
+++ b/django/contrib/admin/templates/admin/base.html
@ -6,6 +6,7 @@
 {% if LANGUAGE_BIDI %}<link rel="stylesheet" type="text/css" href="{% block stylesheet_rtl %}{% admin_media_prefix %}css/rtl.css{% endblock %}" />{% endif %}
 {% block extrastyle %}{% endblock %}
 {% block extrahead %}{% endblock %}
+{% block blockbots %}<meta name="robots" content="NONE,NOARCHIVE" />{% endblock %}
 </head>
 {% load i18n %}

--- a/django/contrib/admin/views/doc.py
+++ b/django/contrib/admin/views/doc.py
@ -226,7 +226,7 @@ def model_detail(request, app_label, model_name):

    return render_to_response('admin_doc/model_detail.html', {
        'name': '%s.%s' % (opts.app_label, opts.object_name),
-        'summary': "Fields on %s objects" % opts.object_name,
+        'summary': _("Fields on %s objects") % opts.object_name,
        'description': model.__doc__,
        'fields': fields,
    }, context_instance=RequestContext(request))
--- a/django/contrib/admin/views/main.py
+++ b/django/contrib/admin/views/main.py
@ -272,7 +272,9 @@ def add_stage(request, app_label, model_name, show_delete=False, form_url='', po
                    post_url_continue += "?_popup=1"
                return HttpResponseRedirect(post_url_continue % pk_value)
            if request.POST.has_key("_popup"):
-                return HttpResponse('<script type="text/javascript">opener.dismissAddAnotherPopup(window, %r, "%s");</script>' % \
+                if type(pk_value) is str: # Quote if string, so JavaScript doesn't think it's a variable.
+                    pk_value = '"%s"' % pk_value.replace('"', '\\"')
+                return HttpResponse('<script type="text/javascript">opener.dismissAddAnotherPopup(window, %s, "%s");</script>' % \
                    (pk_value, str(new_object).replace('"', '\\"')))
            elif request.POST.has_key("_addanother"):
                request.user.message_set.create(message=msg + ' ' + (_("You may add another %s below.") % opts.verbose_name))
@ -734,9 +736,19 @@ class ChangeList(object):
        qs = qs.order_by((self.order_type == 'desc' and '-' or '') + lookup_order_field)

        # Apply keyword searches.
+        def construct_search(field_name):
+            if field_name.startswith('^'):
+                return "%s__istartswith" % field_name[1:]
+            elif field_name.startswith('='):
+                return "%s__iexact" % field_name[1:]
+            elif field_name.startswith('@'):
+                return "%s__search" % field_name[1:]
+            else:
+                return "%s__icontains" % field_name
+
        if self.lookup_opts.admin.search_fields and self.query:
            for bit in self.query.split():
-                or_queries = [models.Q(**{'%s__icontains' % field_name: bit}) for field_name in self.lookup_opts.admin.search_fields]
+                or_queries = [models.Q(**{construct_search(field_name): bit}) for field_name in self.lookup_opts.admin.search_fields]
                other_qs = QuerySet(self.model)
                other_qs = other_qs.filter(reduce(operator.or_, or_queries))
                qs = qs & other_qs
--- a/django/core/cache/backends/memcached.py
+++ b/django/core/cache/backends/memcached.py
@ -20,7 +20,7 @@ class CacheClass(BaseCache):
            return val

    def set(self, key, value, timeout=0):
-        self._cache.set(key, value, timeout)
+        self._cache.set(key, value, timeout or self.default_timeout)

    def delete(self, key):
        self._cache.delete(key)
--- a/django/middleware/cache.py
+++ b/django/middleware/cache.py
@ -41,6 +41,9 @@ class CacheMiddleware(object):

    def process_request(self, request):
        "Checks whether the page is already cached and returns the cached version if available."
+        if self.cache_anonymous_only:
+            assert hasattr(request, 'user'), "The Django cache middleware with CACHE_MIDDLEWARE_ANONYMOUS_ONLY=True requires authentication middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.auth.middleware.AuthenticationMiddleware' before the CacheMiddleware."
+
        if not request.method in ('GET', 'HEAD') or request.GET:
            request._cache_update_cache = False
            return None # Don't bother checking the cache.
--- a/django/middleware/http.py
+++ b/django/middleware/http.py
@ -35,3 +35,27 @@ class ConditionalGetMiddleware(object):
            response.content = ''

        return response
+
+class SetRemoteAddrFromForwardedFor(object):
+    """
+    Middleware that sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, if the
+    latter is set. This is useful if you're sitting behind a reverse proxy that
+    causes each request's REMOTE_ADDR to be set to 127.0.0.1.
+
+    Note that this does NOT validate HTTP_X_FORWARDED_FOR. If you're not behind
+    a reverse proxy that sets HTTP_X_FORWARDED_FOR automatically, do not use
+    this middleware. Anybody can spoof the value of HTTP_X_FORWARDED_FOR, and
+    because this sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, that means
+    anybody can "fake" their IP address. Only use this when you can absolutely
+    trust the value of HTTP_X_FORWARDED_FOR.
+    """
+    def process_request(self, request):
+        try:
+            real_ip = request.META['HTTP_X_FORWARDED_FOR']
+        except KeyError:
+            return None
+        else:
+            # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs.
+            # Take just the first one.
+            real_ip = real_ip.split(",")[0]
+            request.META['REMOTE_ADDR'] = real_ip
--- a/docs/cache.txt
+++ b/docs/cache.txt
@ -233,7 +233,10 @@ The cache middleware caches every page that doesn't have GET or POST
 parameters. Optionally, if the ``CACHE_MIDDLEWARE_ANONYMOUS_ONLY`` setting is
 ``True``, only anonymous requests (i.e., not those made by a logged-in user)
 will be cached. This is a simple and effective way of disabling caching for any
-user-specific pages (include Django's admin interface).
+user-specific pages (include Django's admin interface). Note that if you use
+``CACHE_MIDDLEWARE_ANONYMOUS_ONLY``, you should make sure you've activated
+``AuthenticationMiddleware`` and that ``AuthenticationMiddleware`` appears
+before ``CacheMiddleware`` in your ``MIDDLEWARE_CLASSES``.

 Additionally, ``CacheMiddleware`` automatically sets a few headers in each
 ``HttpResponse``:
--- a/docs/faq.txt
+++ b/docs/faq.txt
@ -98,11 +98,10 @@ Lawrence, Kansas, USA.
    On IRC, Simon goes by ``SimonW``.

 `Wilson Miner`_
-    Wilson's design-fu makes us all look like rock stars. When not sneaking
-    into apartment complex swimming pools, he's the Commercial Development
-    Director for World Online, which means he makes the money that pays all our
-    paychecks. He lives in Lawrence, Kansas.
-
+    Wilson's design-fu makes us all look like rock stars. By day, he's an 
+    interactive designer for `Apple`. Don't ask him what he's working on, or
+    he'll have to kill you. He lives in San Francisco.
+    
    On IRC, Wilson goes by ``wilsonian``.

 .. _`World Online`: http://code.djangoproject.com/wiki/WorldOnline
@ -113,6 +112,7 @@ Lawrence, Kansas, USA.
 .. _`simon.incutio.com`: http://simon.incutio.com/
 .. _`Jacob Kaplan-Moss`: http://www.jacobian.org/
 .. _`Wilson Miner`: http://www.wilsonminer.com/
+.. _`Apple`: http://www.apple.com/

 Which sites use Django?
 -----------------------
--- a/docs/i18n.txt
+++ b/docs/i18n.txt
@ -48,9 +48,10 @@ bit of i18n-related overhead in certain places of the framework. If you don't
 use internationalization, you should take the two seconds to set
 ``USE_I18N = False`` in your settings file. If ``USE_I18N`` is set to
 ``False``, then Django will make some optimizations so as not to load the
-internationalization machinery.
+internationalization machinery. See the `documentation for USE_I18N`_.

-See the `documentation for USE_I18N`_.
+You'll probably also want to remove ``'django.core.context_processors.i18n'``
+from your ``TEMPLATE_CONTEXT_PROCESSORS`` setting.

 .. _documentation for USE_I18N: http://www.djangoproject.com/documentation/settings/#use-i18n

--- a/docs/middleware.txt
+++ b/docs/middleware.txt
@ -63,7 +63,7 @@ Adds a few conveniences for perfectionists:
  last component in the path contains a period. So ``foo.com/bar`` is
  redirected to ``foo.com/bar/``, but ``foo.com/bar/file.txt`` is passed
  through unchanged.
-  
+
  If ``PREPEND_WWW`` is ``True``, URLs that lack a leading "www." will be
  redirected to the same URL with a leading "www."

@ -101,6 +101,22 @@ Handles conditional GET operations. If the response has a ``ETag`` or
 Also removes the content from any response to a HEAD request and sets the
 ``Date`` and ``Content-Length`` response-headers.

+django.middleware.http.SetRemoteAddrFromForwardedFor
+----------------------------------------------------
+
+**New in Django development version**
+
+Sets ``request['REMOTE_ADDR']`` based on ``request.['HTTP_X_FORWARDED_FOR']``,
+if the latter is set. This is useful if you're sitting behind a reverse proxy
+that causes each request's ``REMOTE_ADDR`` to be set to ``127.0.0.1``.
+
+**Important note:** This does NOT validate ``HTTP_X_FORWARDED_FOR``. If you're
+not behind a reverse proxy that sets ``HTTP_X_FORWARDED_FOR`` automatically, do
+not use this middleware. Anybody can spoof the value of
+``HTTP_X_FORWARDED_FOR``, and because this sets ``REMOTE_ADDR`` based on
+``HTTP_X_FORWARDED_FOR``, that means anybody can "fake" their IP address. Only
+use this when you can absolutely trust the value of ``HTTP_X_FORWARDED_FOR``.
+
 django.contrib.sessions.middleware.SessionMiddleware
 ----------------------------------------------------

--- a/docs/model-api.txt
+++ b/docs/model-api.txt
@ -217,7 +217,7 @@ steps:
       subdirectory of ``MEDIA_ROOT`` it should upload files.

    3. All that will be stored in your database is a path to the file
-       (relative to ``MEDIA_ROOT``). You'll must likely want to use the
+       (relative to ``MEDIA_ROOT``). You'll most likely want to use the
       convenience ``get_<fieldname>_url`` function provided by Django. For
       example, if your ``ImageField`` is called ``mug_shot``, you can get
       the absolute URL to your image in a template with ``{{
@ -230,6 +230,14 @@ For example, say your ``MEDIA_ROOT`` is set to ``'/home/media'``, and
 upload a file on Jan. 15, 2007, it will be saved in the directory
 ``/home/media/photos/2007/01/15``.

+Note that whenever you deal with uploaded files, you should pay close attention
+to where you're uploading them and what type of files they are, to avoid
+security holes. *Validate all uploaded files* so that you're sure the files are
+what you think they are. For example, if you blindly let somebody upload files,
+without validation, to a directory that's within your Web server's document
+root, then somebody could upload a CGI or PHP script and execute that script by
+visiting its URL on your site. Don't allow that.
+
 .. _`strftime formatting`: http://docs.python.org/lib/module-time.html#l2h-1941

 ``FilePathField``
@ -678,8 +686,9 @@ you can use the name of the model, rather than the model object itself::
    class Manufacturer(models.Model):
        # ...

-Note, however, that support for strings around model names in ``ForeignKey`` is
-quite new, and it can be buggy in some cases.
+Note, however, that you can only use strings to refer to models in the same
+models.py file -- you cannot use a string to reference a model in a different
+application, or to reference a model that has been imported from elsewhere.

 Behind the scenes, Django appends ``"_id"`` to the field name to create its
 database column name. In the above example, the database table for the ``Car``
@ -801,7 +810,10 @@ here's how you'd represent that::

 As with ``ForeignKey``, a relationship to self can be defined by using the
 string ``'self'`` instead of the model name, and you can refer to as-yet
-undefined models by using a string containing the model name.
+undefined models by using a string containing the model name. However, you
+can only use strings to refer to models in the same models.py file -- you
+cannot use a string to reference a model in a different application, or to
+reference a model that has been imported from elsewhere.

 It's suggested, but not required, that the name of a ``ManyToManyField``
 (``toppings`` in the example above) be a plural describing the set of related
@ -1374,6 +1386,41 @@ user searches for ``john lennon``, Django will do the equivalent of this SQL
    WHERE (first_name ILIKE '%john%' OR last_name ILIKE '%john%')
    AND (first_name ILIKE '%lennon%' OR last_name ILIKE '%lennon%')

+**New in Django development version:** For faster and/or more restrictive
+searches, prefix the field name with an operator:
+
+``^``
+    Matches the beginning of the field. For example, if ``search_fields`` is
+    set to ``['^first_name', '^last_name']`` and a user searches for
+    ``john lennon``, Django will do the equivalent of this SQL ``WHERE``
+    clause::
+
+        WHERE (first_name ILIKE 'john%' OR last_name ILIKE 'john%')
+        AND (first_name ILIKE 'lennon%' OR last_name ILIKE 'lennon%')
+
+    This query is more efficient than the normal ``'%john%'`` query, because
+    the database only needs to check the beginning of a column's data, rather
+    than seeking through the entire column's data. Plus, if the column has an
+    index on it, some databases may be able to use the index for this query,
+    even though it's a ``LIKE`` query.
+
+``=``
+    Matches exactly, case-insensitive. For example, if
+    ``search_fields`` is set to ``['=first_name', '=last_name']`` and
+    a user searches for ``john lennon``, Django will do the equivalent
+    of this SQL ``WHERE`` clause::
+
+        WHERE (first_name ILIKE 'john' OR last_name ILIKE 'john')
+        AND (first_name ILIKE 'lennon' OR last_name ILIKE 'lennon')
+
+    Note that the query input is split by spaces, so, following this example,
+    it's not currently not possible to search for all records in which
+    ``first_name`` is exactly ``'john winston'`` (containing a space).
+
+``@``
+    Performs a full-text match. This is like the default search method but uses
+    an index. Currently this is only available for MySQL.
+
 Managers
 ========

--- a/docs/templates_python.txt
+++ b/docs/templates_python.txt
@ -259,9 +259,10 @@ an `HttpRequest object`_ as its first argument. For example::
 The second difference is that it automatically populates the context with a few
 variables, according to your `TEMPLATE_CONTEXT_PROCESSORS setting`_.

-The ``TEMPLATE_CONTEXT_PROCESSORS`` setting is a tuple of callables that take a
-request object as their argument and return a dictionary of items to be merged
-into the context. By default, ``TEMPLATE_CONTEXT_PROCESSORS`` is set to::
+The ``TEMPLATE_CONTEXT_PROCESSORS`` setting is a tuple of callables -- called
+**context processors** -- that take a request object as their argument and
+return a dictionary of items to be merged into the context. By default,
+``TEMPLATE_CONTEXT_PROCESSORS`` is set to::

    ("django.core.context_processors.auth",
    "django.core.context_processors.debug",