1
0
mirror of https://github.com/django/django.git synced 2024-12-23 01:25:58 +00:00
Commit Graph

7453 Commits

Author SHA1 Message Date
Luke Plant
5a0aab41ee Allow CsrfResponseMiddleware to be used if templates cannot be updated.
For the case where someone is using contrib views with custom templates that
they cannot update to use the template tag, it should be possible to use
CsrfResponseMiddleware.  This requires that 'csrf_response_exempt' is not
used for the admin views.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11683 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-30 00:17:29 +00:00
Russell Keith-Magee
96658ef2d2 Fixed #12057 -- Corrected regression of caching performance when a model contained a callable default. Thanks to Michael Thornhill for the excellent assistance tracking this problem.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11681 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-29 14:32:01 +00:00
Luke Plant
c5c7791e91 Improved HTML in CSRF debug template - <code> instead of <tt>
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11680 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-29 14:17:39 +00:00
Jannis Leidel
7440fca145 Added bio for myself
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11678 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-28 10:01:16 +00:00
Luke Plant
e6f0c10e77 Fixed typo in docs
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11677 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 22:26:54 +00:00
Luke Plant
5df19aa99e Small improvement to CSRF failure template.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11676 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 22:20:03 +00:00
Luke Plant
9dc9770736 Documented the presence of {% csrf_token %} in Django 1.1.2 in trunk docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11675 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 21:52:25 +00:00
Luke Plant
905dba3694 Misc clarifications in csrf middleware comments
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 21:31:20 +00:00
Luke Plant
43c2ed0eb3 Fixed #12095 - login and other contrib views failing if template rendered using inclusion tag.
The {% csrf_token %} tag is unable to get its value if a template is
rendered using an inclusion_tag, since that creates a brand new Context,
rather than using the existing one.  Since this is a common pattern, and we
need CSRF protection to be as simple and easy as possible, we special case
the csrf_token and copy it from the parent context to the new context.

A more elegant and general solution may appear in future, but this is good
enough for now.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11672 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 21:27:09 +00:00
Jacob Kaplan-Moss
4281bf3db0 Fixed #11057: having no actions in the admin (actions=None) no longer messes up the layout. Thanks, rvdrijst.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11670 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 20:56:12 +00:00
Luke Plant
d0b900e6f5 Slight change to CSRF error messages to make debugging easier.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11669 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 14:04:21 +00:00
Luke Plant
b32a187296 Fixed some typos
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11668 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 13:13:40 +00:00
Luke Plant
f00ad4168e Added explicit notes about the need to update any customised templates for contrib apps for CSRF changes
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11667 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 12:11:56 +00:00
Luke Plant
f6ef3fd941 Completed a name in AUTHORS file, now I know it.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11666 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 10:46:04 +00:00
Luke Plant
2ddf1364c4 Added 'version added' info to CSRF_* settings.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11665 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 01:10:20 +00:00
Luke Plant
c2ffe94d9a Removed unused import.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11664 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:49:33 +00:00
Luke Plant
64b4ab18b4 Use decorator syntax for csrf_exempt example.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11663 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:43:16 +00:00
Luke Plant
7230a995ce Moved contrib.csrf.* to core code.
There is stub code for backwards compatiblity with Django 1.1 imports.

The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00
Luke Plant
8e70cef9b6 Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django.  It includes:

 * removing the dependency on the session framework.
 * deprecating CsrfResponseMiddleware, and replacing with a core template tag.
 * turning on CSRF protection by default by adding CsrfViewMiddleware to
   the default value of MIDDLEWARE_CLASSES.
 * protecting all contrib apps (whatever is in settings.py)
   using a decorator.

For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.

Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.

Details of the rationale for these changes is found here:

http://code.djangoproject.com/wiki/CsrfProtection

As of this commit, the CSRF code is mainly in 'contrib'.  The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
Jacob Kaplan-Moss
d1da261417 Fixed #11371: Made django.test.Client.put() work for non-form-data PUT (i.e. JSON, etc.). Thanks, phyfus.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11656 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 15:02:54 +00:00
Jarek Zgoda
e32b042d6b Polish translation updated
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11655 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-25 20:09:49 +00:00
Karen Tracey
c54b8ec2f5 Fixed #12079: Changed has_results to get a single result, thus preventing exists() from always returning True on backends that support chunked reads.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11654 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-25 16:32:07 +00:00
Luke Plant
92090253fe Fixed small error in deprecation policy.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11652 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 14:10:00 +00:00
Luke Plant
a02a6fab66 Fixed #9163 - CsrfMiddleware needs to reset ETag header
Thanks to carljm for report and patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11650 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 10:45:58 +00:00
Luke Plant
c44fdf6a1e Fixed #12067 - check_dependencies in contrib.admin.sites not triggered using new style admin include
Thanks to robhudson for report and patch.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11648 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 10:13:24 +00:00
Luke Plant
2b2f92ae8e Fixed a bug in r11646 - refs #11402
The one line of code not covered by a test... ;-)


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11647 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 00:37:01 +00:00
Jacob Kaplan-Moss
b79702b2de Fixed #11402: added a QuerySet.exists() method. Thanks, Alex Gaynor.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11646 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 00:28:39 +00:00
Jacob Kaplan-Moss
9f70783b14 Fixed a couple of test-ordering-dependant failures introduced in [11639] that caused test failures when running the whole test suite.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11645 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 00:23:47 +00:00
Brian Rosner
0d1177ae99 Moved _get_foreign_key call after testing for fk_name fixing a broken test.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11643 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-23 20:47:29 +00:00
Jacob Kaplan-Moss
fa6ca072a3 Clarified faq/install w.r.t. the various Python versions available.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11642 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-23 19:52:15 +00:00
Jacob Kaplan-Moss
7770c70007 Fixed a silly typo left over from removing Python 2.3 references.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11641 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-23 19:43:58 +00:00
Jacob Kaplan-Moss
7098664940 Removed mentions of Python 2.3 support from the docs -- Django 1.2 drops support for Python 2.3 -- and added a quick FAQ about that dropping of support.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11640 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-23 19:30:23 +00:00
Jacob Kaplan-Moss
8be1bb2268 Fixed #11625: added comment moderation via admin actions.
This is BACKWARDS INCOMPATIBLE if you were using the completely undocumented moderation view from 1.1. That view's been removed in favor of the admin actions.

Thanks, Thejaswi Puthraya.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11639 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-23 19:22:31 +00:00
Luke Plant
162fade2b7 Fixed #12060 - equality tests between User and SimpleLazyObject-wrapped User failed.
Also added more tests for SimpleLazyObject

Thanks to ericholscher for report.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11637 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-20 14:11:08 +00:00
Luke Plant
c6e8e5d9f0 Fixed non-standard introspection support in LazyObject.
LazyObject called a public method ``get_all_members`` on wrapped objects in
order to allow introspection.  This could easily cause name clashes with
existing methods on wrapped objects, and so has been changed to use the
standard methods.  This could be slightly backwards-incompatible, in obscure
cases, if the undocumented LazyObject has been used externally.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11636 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-19 21:48:06 +00:00
Luke Plant
22be3d7612 Fixed #12049 - LazyObject-wrapped User breaks queries in template tags
Thanks to chipx86 for the report and patch.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11634 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-19 21:13:22 +00:00
Brian Rosner
cb7a3262b5 Moved the call to _get_foreign_key to run in all cases catching incorrect inline setup sooner.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11631 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-19 19:17:20 +00:00
Brian Rosner
5fc35c9caf Fixed #11709 — Pass inline fk_name attribute when grabbing foreign key to test for exclusion. Thanks yishaibeeri for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11630 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-19 19:17:07 +00:00
Justin Bronn
69535b7b13 The OGRGeometry.coord_dim property may now be set; implemented a work-around for an OGR bug that changed geometries to 3D after transformation. Refs #11433.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11628 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-17 17:32:25 +00:00
Luke Plant
e5ab340d17 Licence block for code added in r11586
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11627 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-15 20:25:20 +00:00
Luke Plant
a2d8acbacd Fixed a regression on Python 2.6 caused by r11623
This might fix #12037, but I cannot reproduce that bug.
Refs #12037



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11625 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-15 14:12:34 +00:00
Luke Plant
c161bf21f0 Fixed #6552, #12031 - Make django.core.context_processors.auth lazy to avoid "Vary: Cookie"
Thanks to olau@iola.dk, Suor for the report



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11623 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-14 18:09:13 +00:00
Russell Keith-Magee
f14833ee67 Fixed #11959 -- Updated the tutorial to ensure that the admin site continues to work after URLpatterns are introduced. Thanks to carljm for the report and draft patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11621 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-14 13:38:31 +00:00
Jacob Kaplan-Moss
b30cba4e2b Fixed #11993: fixed the the floatformat filter on NaN values in Python 2.6.3. Thanks, kklimonda.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11619 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-12 16:53:23 +00:00
Luke Plant
c46ddbf1fc Fixed #8274 - allow custom forms for auth 'login' and 'password_change' views
Thanks to julien for the suggestion and patch, and SmileyChris for work on the patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11618 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-12 15:32:24 +00:00
Jacob Kaplan-Moss
9f8287a3f1 SECURITY ALERT: Corrected regular expressions for URL and email fields.
Certain email addresses/URLs could trigger a catastrophic backtracking situation, causing 100% CPU and server overload. If deliberately triggered, this could be the basis of a denial-of-service attack.

This security vulnerability was disclosed in public, so we're skipping our
normal security release process to get the fix out as soon as possible.

This is a security related update. A full announcement, as well as backports for the 1.1.X and 1.0.X series will follow.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11603 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-09 20:57:59 +00:00
Russell Keith-Magee
8aee95ca3e Fixed #11995 -- Modified the admin site definition for comments so that users are shown as a raw id list. Thanks to James Bennett for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11601 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-08 13:30:31 +00:00
Luke Plant
175ab92d6b Removed some unused code and improved docstring on auto_adapt_to_methods
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11600 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-01 16:15:27 +00:00
James Bennett
ca9d0136df Fixed #11961: Corrected a few typos in docs/testing.txt. Thanks to timo for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11599 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-30 06:40:34 +00:00
Luke Plant
055efb2530 Fixed #9674 - documented app_label.
Thanks to andymckay for the report and jpaulett for the patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11596 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-09-28 21:58:21 +00:00