From daa6b38f352447a5afed3184f4ffffd0d6b1f1de Mon Sep 17 00:00:00 2001
From: Gary Wilson Jr <gary.wilson@gmail.com>
Date: Sun, 3 Aug 2008 19:55:26 +0000
Subject: [PATCH] Fixed #8092, #3828 -- Removed dictionary access for request
 objects so that GET and POST data doesn't "overwrite" request attributes when
 used in templates (since dictionary lookup is performed before attribute
 lookup).  This is backwards-incompatible if you were using the request object
 for dictionary access to the combined GET and POST data, but you should use
 `request.REQUEST` for that instead.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@8202 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/http/__init__.py                       | 11 ------
 docs/request_response.txt                     | 12 ------
 .../context_processors/__init__.py            |  0
 .../context_processors/models.py              |  1 +
 .../context_processors/request_attrs.html     | 13 +++++++
 .../context_processors/tests.py               | 38 +++++++++++++++++++
 .../context_processors/urls.py                |  8 ++++
 .../context_processors/views.py               |  8 ++++
 8 files changed, 68 insertions(+), 23 deletions(-)
 create mode 100644 tests/regressiontests/context_processors/__init__.py
 create mode 100644 tests/regressiontests/context_processors/models.py
 create mode 100644 tests/regressiontests/context_processors/templates/context_processors/request_attrs.html
 create mode 100644 tests/regressiontests/context_processors/tests.py
 create mode 100644 tests/regressiontests/context_processors/urls.py
 create mode 100644 tests/regressiontests/context_processors/views.py

diff --git a/django/http/__init__.py b/django/http/__init__.py
index fe0b93edcf..0124022478 100644
--- a/django/http/__init__.py
+++ b/django/http/__init__.py
@@ -39,17 +39,6 @@ class HttpRequest(object):
             (pformat(self.GET), pformat(self.POST), pformat(self.COOKIES),
             pformat(self.META))
 
-    def __getitem__(self, key):
-        for d in (self.POST, self.GET):
-            if key in d:
-                return d[key]
-        raise KeyError, "%s not found in either POST or GET" % key
-
-    def has_key(self, key):
-        return key in self.GET or key in self.POST
-
-    __contains__ = has_key
-
     def get_host(self):
         """Returns the HTTP host using the environment or request headers."""
         # We try three options, in order of decreasing preference.
diff --git a/docs/request_response.txt b/docs/request_response.txt
index 54fc24df9e..9b3f6dd0e3 100644
--- a/docs/request_response.txt
+++ b/docs/request_response.txt
@@ -170,18 +170,6 @@ All attributes except ``session`` should be considered read-only.
 Methods
 -------
 
-``__getitem__(key)``
-   Returns the GET/POST value for the given key, checking POST first, then
-   GET. Raises ``KeyError`` if the key doesn't exist.
-
-   This lets you use dictionary-accessing syntax on an ``HttpRequest``
-   instance. Example: ``request["foo"]`` would return ``True`` if either
-   ``request.POST`` or ``request.GET`` had a ``"foo"`` key.
-
-``has_key()``
-   Returns ``True`` or ``False``, designating whether ``request.GET`` or
-   ``request.POST`` has the given key.
-
 ``get_host()``
    **New in Django development version**
 
diff --git a/tests/regressiontests/context_processors/__init__.py b/tests/regressiontests/context_processors/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/tests/regressiontests/context_processors/models.py b/tests/regressiontests/context_processors/models.py
new file mode 100644
index 0000000000..cde172db68
--- /dev/null
+++ b/tests/regressiontests/context_processors/models.py
@@ -0,0 +1 @@
+# Models file for tests to run.
diff --git a/tests/regressiontests/context_processors/templates/context_processors/request_attrs.html b/tests/regressiontests/context_processors/templates/context_processors/request_attrs.html
new file mode 100644
index 0000000000..3978e9d680
--- /dev/null
+++ b/tests/regressiontests/context_processors/templates/context_processors/request_attrs.html
@@ -0,0 +1,13 @@
+{% if request %}
+Have request
+{% else %}
+No request
+{% endif %}
+
+{% if request.is_secure %}
+Secure
+{% else %}
+Not secure
+{% endif %}
+
+{{ request.path }}
diff --git a/tests/regressiontests/context_processors/tests.py b/tests/regressiontests/context_processors/tests.py
new file mode 100644
index 0000000000..eadd6310b1
--- /dev/null
+++ b/tests/regressiontests/context_processors/tests.py
@@ -0,0 +1,38 @@
+"""
+Tests for Django's bundled context processors.
+"""
+
+from django.conf import settings
+from django.test import TestCase
+
+
+class RequestContextProcessorTests(TestCase):
+    """
+    Tests for the ``django.core.context_processors.request`` processor.
+    """
+
+    urls = 'regressiontests.context_processors.urls'
+
+    def test_request_attributes(self):
+        """
+        Test that the request object is available in the template and that its
+        attributes can't be overridden by GET and POST parameters (#3828).
+        """
+        url = '/request_attrs/'
+        # We should have the request object in the template.
+        response = self.client.get(url)
+        self.assertContains(response, 'Have request')
+        # Test is_secure.
+        response = self.client.get(url)
+        self.assertContains(response, 'Not secure')
+        response = self.client.get(url, {'is_secure': 'blah'})
+        self.assertContains(response, 'Not secure')
+        response = self.client.post(url, {'is_secure': 'blah'})
+        self.assertContains(response, 'Not secure')
+        # Test path.
+        response = self.client.get(url)
+        self.assertContains(response, url)
+        response = self.client.get(url, {'path': '/blah/'})
+        self.assertContains(response, url)
+        response = self.client.post(url, {'path': '/blah/'})
+        self.assertContains(response, url)
diff --git a/tests/regressiontests/context_processors/urls.py b/tests/regressiontests/context_processors/urls.py
new file mode 100644
index 0000000000..7e8ba967c1
--- /dev/null
+++ b/tests/regressiontests/context_processors/urls.py
@@ -0,0 +1,8 @@
+from django.conf.urls.defaults import *
+
+import views
+
+
+urlpatterns = patterns('',
+    (r'^request_attrs/$', views.request_processor),
+)
diff --git a/tests/regressiontests/context_processors/views.py b/tests/regressiontests/context_processors/views.py
new file mode 100644
index 0000000000..66e7132c05
--- /dev/null
+++ b/tests/regressiontests/context_processors/views.py
@@ -0,0 +1,8 @@
+from django.core import context_processors
+from django.shortcuts import render_to_response
+from django.template.context import RequestContext
+
+
+def request_processor(request):
+    return render_to_response('context_processors/request_attrs.html',
+        RequestContext(request, {}, processors=[context_processors.request]))