diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 81b409f70e..b168442aa9 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -172,9 +172,13 @@ you will have a working installation but without any CSRF protection for your views (just as you had before). It is strongly recommended to install ``CsrfViewMiddleware`` and ``CsrfResponseMiddleware``, as described above. -(Note that contrib apps, such as the admin, have been updated to use the +Note that contrib apps, such as the admin, have been updated to use the ``csrf_protect`` decorator, so that they are secured even if you do not add the -``CsrfViewMiddleware`` to your settings). +``CsrfViewMiddleware`` to your settings. However, if you have suuplied +customised templates to any of the view functions of contrib apps (whether +explicitly via a keyword argument, or by overriding built-in templates), **you +MUST update them** to include the ``csrf_token`` template tag as described +above, or they will stop working. Assuming you have followed the above, all views in your Django site will now be protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements diff --git a/docs/releases/1.2-alpha.txt b/docs/releases/1.2-alpha.txt index 0806ed412d..5a0815bf36 100644 --- a/docs/releases/1.2-alpha.txt +++ b/docs/releases/1.2-alpha.txt @@ -13,6 +13,11 @@ changes that developers must be aware of: will be removed completely in Django 1.4, in favour of a template tag that should be inserted into forms. + * All contrib apps use a ``csrf_protect`` decorator to protect the view. This + requires the use of the csrf_token template tag in the template, so if you + have used custom templates for contrib views, you MUST READ THE UPGRADE + INSTRUCTIONS to fix those templates. + * ``CsrfViewMiddleware`` is included in :setting:`MIDDLEWARE_CLASSES` by default. This turns on CSRF protection by default, so that views that accept POST requests need to be written to work with the middleware. Instructions