summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2009-10-30 00:17:29 +0000
committerLuke Plant <L.Plant.98@cantab.net>2009-10-30 00:17:29 +0000
commit5a0aab41ee4de9e465164d3fbba9336c1fefa5ec (patch)
treecd70fa86d4eb3c50b51f5527160afc8dea63f3de
parent96658ef2d24bd05c75aa98c5318d49f7e26549e7 (diff)
Allow CsrfResponseMiddleware to be used if templates cannot be updated.
For the case where someone is using contrib views with custom templates that they cannot update to use the template tag, it should be possible to use CsrfResponseMiddleware. This requires that 'csrf_response_exempt' is not used for the admin views. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11683 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r--django/contrib/admin/sites.py4
-rw-r--r--docs/ref/contrib/csrf.txt4
2 files changed, 5 insertions, 3 deletions
diff --git a/django/contrib/admin/sites.py b/django/contrib/admin/sites.py
index 33126999c8..52ef57370d 100644
--- a/django/contrib/admin/sites.py
+++ b/django/contrib/admin/sites.py
@@ -3,7 +3,7 @@ from django import http, template
from django.contrib.admin import ModelAdmin
from django.contrib.admin import actions
from django.contrib.auth import authenticate, login
-from django.views.decorators.csrf import csrf_protect, csrf_response_exempt
+from django.views.decorators.csrf import csrf_protect
from django.db.models.base import ModelBase
from django.core.exceptions import ImproperlyConfigured
from django.core.urlresolvers import reverse
@@ -189,7 +189,7 @@ class AdminSite(object):
inner = never_cache(inner)
# We add csrf_protect here so this function can be used as a utility
# function for any view, without having to repeat 'csrf_protect'.
- inner = csrf_response_exempt(csrf_protect(inner))
+ inner = csrf_protect(inner)
return update_wrapper(inner, view)
def get_urls(self):
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
index 0cbe59907c..126df83676 100644
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@@ -178,7 +178,9 @@ Note that contrib apps, such as the admin, have been updated to use the
customised templates to any of the view functions of contrib apps (whether
explicitly via a keyword argument, or by overriding built-in templates), **you
MUST update them** to include the ``csrf_token`` template tag as described
-above, or they will stop working.
+above, or they will stop working. (If you cannot update these templates for
+some reason, you will be forced to use ``CsrfResponseMiddleware`` for these
+views to continue working).
Assuming you have followed the above, all views in your Django site will now be
protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements