summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJacob Kaplan-Moss <jacob@jacobian.org>2011-09-09 17:20:16 +0000
committerJacob Kaplan-Moss <jacob@jacobian.org>2011-09-09 17:20:16 +0000
commit0b174ccf0ef99b9ee887890fc5c7ac0c7a845720 (patch)
tree2ffe5313800df1373d0e4f4416c13cebb72f76d4 /docs
parentd036b87126eadb3d76a4e4c5daea1bfb767db912 (diff)
Fixed #16384: warn against accessing request.POST/REQUEST in middleware.
Thanks, Tom Christie. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16734 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
-rw-r--r--docs/topics/http/file-uploads.txt2
-rw-r--r--docs/topics/http/middleware.txt15
2 files changed, 17 insertions, 0 deletions
diff --git a/docs/topics/http/file-uploads.txt b/docs/topics/http/file-uploads.txt
index 63454f05a4..e5298ef2cb 100644
--- a/docs/topics/http/file-uploads.txt
+++ b/docs/topics/http/file-uploads.txt
@@ -238,6 +238,8 @@ could, for example, use custom handlers to enforce user-level quotas, compress
data on the fly, render progress bars, and even send data to another storage
location directly without storing it locally.
+.. _modifying_upload_handlers_on_the_fly:
+
Modifying upload handlers on the fly
------------------------------------
diff --git a/docs/topics/http/middleware.txt b/docs/topics/http/middleware.txt
index c9c2311b19..be2a774c95 100644
--- a/docs/topics/http/middleware.txt
+++ b/docs/topics/http/middleware.txt
@@ -97,6 +97,21 @@ calling ANY other request, view or exception middleware, or the appropriate
view; it'll return that :class:`~django.http.HttpResponse`. Response
middleware is always called on every response.
+.. note::
+ Accessing :attr:`request.POST <django.http.HttpRequest.POST>` or
+ :attr:`request.REQUEST <django.http.HttpRequest.REQUEST>` inside
+ middleware from ``process_request`` or ``process_view`` will prevent any
+ view running after the middleware from being able to
+ :ref:`modify the upload handlers for the
+ request <modifying_upload_handlers_on_the_fly>`, and should normally be
+ avoided.
+
+ The :class:`~django.middleware.csrf.CsrfViewMiddleware` class can be
+ considered an exception, as it provides the
+ :func:`~django.views.decorators.csrf.csrf_exempt` and
+ :func:`~django.views.decorators.csrf.csrf_protect` decorators which allow
+ views to explicitly control at what point the CSRF validation should occur.
+
.. _template-response-middleware:
``process_template_response``