diff options
| author | Jacob Kaplan-Moss <jacob@jacobian.org> | 2011-09-09 17:20:16 +0000 |
|---|---|---|
| committer | Jacob Kaplan-Moss <jacob@jacobian.org> | 2011-09-09 17:20:16 +0000 |
| commit | 0b174ccf0ef99b9ee887890fc5c7ac0c7a845720 (patch) | |
| tree | 2ffe5313800df1373d0e4f4416c13cebb72f76d4 | |
| parent | d036b87126eadb3d76a4e4c5daea1bfb767db912 (diff) | |
Fixed #16384: warn against accessing request.POST/REQUEST in middleware.
Thanks, Tom Christie.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16734 bcc190cf-cafb-0310-a4f2-bffc1f526a37
| -rw-r--r-- | AUTHORS | 1 | ||||
| -rw-r--r-- | docs/topics/http/file-uploads.txt | 2 | ||||
| -rw-r--r-- | docs/topics/http/middleware.txt | 15 |
3 files changed, 18 insertions, 0 deletions
@@ -120,6 +120,7 @@ answer newbie questions, and generally made Django that much better: Sengtha Chay <sengtha@e-khmer.com> ivan.chelubeev@gmail.com Bryan Chow <bryan at verdjn dot com> + Tom Christie <tom@tomchristie.com> Antonis Christofides <anthony@itia.ntua.gr> Michal Chruszcz <troll@pld-linux.org> Can Burak Çilingir <canburak@cs.bilgi.edu.tr> diff --git a/docs/topics/http/file-uploads.txt b/docs/topics/http/file-uploads.txt index 63454f05a4..e5298ef2cb 100644 --- a/docs/topics/http/file-uploads.txt +++ b/docs/topics/http/file-uploads.txt @@ -238,6 +238,8 @@ could, for example, use custom handlers to enforce user-level quotas, compress data on the fly, render progress bars, and even send data to another storage location directly without storing it locally. +.. _modifying_upload_handlers_on_the_fly: + Modifying upload handlers on the fly ------------------------------------ diff --git a/docs/topics/http/middleware.txt b/docs/topics/http/middleware.txt index c9c2311b19..be2a774c95 100644 --- a/docs/topics/http/middleware.txt +++ b/docs/topics/http/middleware.txt @@ -97,6 +97,21 @@ calling ANY other request, view or exception middleware, or the appropriate view; it'll return that :class:`~django.http.HttpResponse`. Response middleware is always called on every response. +.. note:: + Accessing :attr:`request.POST <django.http.HttpRequest.POST>` or + :attr:`request.REQUEST <django.http.HttpRequest.REQUEST>` inside + middleware from ``process_request`` or ``process_view`` will prevent any + view running after the middleware from being able to + :ref:`modify the upload handlers for the + request <modifying_upload_handlers_on_the_fly>`, and should normally be + avoided. + + The :class:`~django.middleware.csrf.CsrfViewMiddleware` class can be + considered an exception, as it provides the + :func:`~django.views.decorators.csrf.csrf_exempt` and + :func:`~django.views.decorators.csrf.csrf_protect` decorators which allow + views to explicitly control at what point the CSRF validation should occur. + .. _template-response-middleware: ``process_template_response`` |
