summaryrefslogtreecommitdiff
path: root/django/middleware
AgeCommit message (Collapse)Author
2014-04-21Prevented leaking the CSRF token through caching.Aymeric Augustin
This is a security fix. Disclosure will follow shortly.
2014-03-30Corrected many style guide violations that the newest version of flake8 catchesAlex Gaynor
2014-03-21Removed django.middleware.doc. Refs #20126.Aymeric Augustin
Small doc changes missed in 66076268.
2014-03-21Removed legacy transaction management per the deprecation timeline.Aymeric Augustin
2014-03-21Removed settings.CACHE_MIDDLEWARE_ANONYMOUS_ONLY per deprecation timeline.Tim Graham
refs #15201.
2014-03-21Removed settings.SEND_BROKEN_LINK_EMAILS per deprecation timeline.Tim Graham
2014-03-08Fixed #21188 -- Introduced subclasses for to-be-removed-in-django-XX warningsClaude Paroz
Thanks Anssi Kääriäinen for the idea and Simon Charette for the review.
2014-03-06Fixed #22185 -- Added settings.CSRF_COOKIE_AGERoger Hu
Thanks Paul McMillan for the review.
2014-02-26Fixed #21389 -- Accept most valid language codesBouke Haarsma
By removing the 'supported' keyword from the detection methods and only relying on a cached settings.LANGUAGES, the speed of said methods has been improved; around 4x raw performance. This allows us to stop checking Python's incomplete list of locales, and rely on a less restrictive regular expression for accepting certain locales. HTTP Accept-Language is defined as being case-insensitive, based on this fact extra performance improvements have been made; it wouldn't make sense to check for case differences.
2013-12-12Fixed #21473 -- Limited language preservation to logoutLudwik Trammer
Current language is no longer saved to session by LocaleMiddleware on every response (the behavior introduced in #14825). Instead language stored in session is reintroduced into new session after logout. Forward port of c558a43fd6 to master.
2013-11-28Fixed E125 pep8 warningsChristopher Medrela
2013-11-23Fixed #21012 -- New API to access cache backends.Curtis Maloney
Thanks Curtis Malony and Florian Apolloner. Squashed commit of the following: commit 3380495e93f5e81b80a251b03ddb0a80b17685f5 Author: Aymeric Augustin <aymeric.augustin@m4x.org> Date: Sat Nov 23 14:18:07 2013 +0100 Looked up the template_fragments cache at runtime. commit 905a74f52b24a198f802520ff06290a94dedc687 Author: Aymeric Augustin <aymeric.augustin@m4x.org> Date: Sat Nov 23 14:19:48 2013 +0100 Removed all uses of create_cache. Refactored the cache tests significantly. Made it safe to override the CACHES setting. commit 35e289fe9285feffed3c60657af9279a6a2cfccc Author: Aymeric Augustin <aymeric.augustin@m4x.org> Date: Sat Nov 23 12:23:57 2013 +0100 Removed create_cache function. commit 8e274f747a1f1c0c0e6c37873e29067f7fa022e8 Author: Aymeric Augustin <aymeric.augustin@m4x.org> Date: Sat Nov 23 12:04:52 2013 +0100 Updated docs to describe a simplified cache backend API. commit ee7eb0f73e6d4699edcf5d357dce715224525cf6 Author: Curtis Maloney <curtis@tinbrain.net> Date: Sat Oct 19 09:49:24 2013 +1100 Fixed #21012 -- Thread-local caches, like databases.
2013-11-03Fixed flake8 E251 violationsMilton Mazzarri
2013-11-02Fixed all E261 warningscoagulant
2013-11-02More attacking E302 violatorsAlex Gaynor
2013-11-02Fixed #21302 -- Fixed unused imports and import *.Tim Graham
2013-11-02Fixed #21324 -- Translate CSRF failure viewBouke Haarsma
Thanks to Claude Paroz for the original patch.
2013-10-22Fixed #5789 -- Changed LocaleMiddleware session variable to '_language'.Bouke Haarsma
The old 'django_language' variable will still be read from in order to migrate users. The backwards-compatability shim will be removed in Django 1.8. Thanks to jdunck for the report and stugots for the initial patch.
2013-10-21Fixed #21288 -- Fixed E126 pep8 warningsAlasdair Nicol
2013-10-18Fixed bug causing CSRF token not to rotate on login.Tim Graham
Thanks Gavin McQuillan for the report.
2013-10-15Fixed #7603 -- Added a 'scheme' property to the HttpRequest objectUnai Zalakain
`HttpRequest.scheme` is `https` if `settings.SECURE_PROXY_SSL_HEADER` is appropriately set and falls back to `HttpRequest._get_scheme()` (a hook for subclasses to implement) otherwise. `WSGIRequest._get_scheme()` makes use of the `wsgi.url_scheme` WSGI environ variable to determine the request scheme. `HttpRequest.is_secure()` simply checks if `HttpRequest.scheme` is `https`. This provides a way to check the current scheme in templates, for example. It also allows us to deal with other schemes. Thanks nslater for the suggestion.
2013-10-10Used "is" for comparisons with None.Tim Graham
2013-10-03Fixed #19277 -- Added LocaleMiddleware.response_redirect_classEmil Stenström
Thanks ppetrid at yawd.eu for the suggestion.
2013-08-04Deprecated SortedDict (replaced with collections.OrderedDict)Curtis Maloney
Thanks Loic Bistuer for the review.
2013-06-29Advanced deprecation warnings for Django 1.7.Aymeric Augustin
2013-06-19Removed several unused imports.Aymeric Augustin
2013-05-26Replaced `and...or...` constructs with PEP 308 conditional expressions.Ramiro Morales
2013-05-25Fixed #20099 -- Eased subclassing of BrokenLinkEmailsMiddlewareClaude Paroz
Thanks Ram Rachum for the report and the initial patch, and Simon Charette for the review.
2013-05-25Fixed #14825 -- LocaleMiddleware keeps languageVlastimil Zíma
* LocaleMiddleware stores language into session if it is not present there.
2013-05-24Rotate CSRF token on loginAndrew Godwin
2013-05-19Fixed #20126 -- XViewMiddleware moved to django.contrib.admindocs.middlewareŁukasz Langa
2013-05-19Fixed #11915: generic Accept-Language matches country-specific variantsŁukasz Langa
2013-05-18Fixed #15201: Marked CACHE_MIDDLEWARE_ANONYMOUS_ONLY as deprecatedŁukasz Langa
2013-05-18Fixed #19436 -- Don't log warnings in ensure_csrf_cookie.Olivier Sels
2013-05-18Fixed #20356 -- Prevented crash when HTTP_REFERER contains non-asciiClaude Paroz
Thanks srusskih for the report and Aymeric Augustin for the review.
2013-03-11Deprecated TransactionMiddleware and TRANSACTIONS_MANAGED.Aymeric Augustin
Replaced them with per-database options, for proper multi-db support. Also toned down the recommendation to tie transactions to HTTP requests. Thanks Jeremy for sharing his experience.
2013-03-11Deprecated transaction.is_managed().Aymeric Augustin
It's synchronized with the autocommit flag.
2013-03-11Made transaction.managed a no-op and deprecated it.Aymeric Augustin
enter_transaction_management() was nearly always followed by managed(). In three places it wasn't, but they will all be refactored eventually. The "forced" keyword argument avoids introducing behavior changes until then. This is mostly backwards-compatible, except, of course, for managed itself. There's a minor difference in _enter_transaction_management: the top self.transaction_state now contains the new 'managed' state rather than the previous one. Django doesn't access self.transaction_state in _enter_transaction_management.
2013-02-28Fixed #5241 -- Kept active transalation in LocaleMiddleware.process_response.Aymeric Augustin
2013-02-23Fixes #17866: Vary: Accept-Language header when language prefix usedŁukasz Langa
2013-02-10Fixed #19707 -- Reset transaction state after requestsAnssi Kääriäinen
2013-02-07Fixed #15808 -- Added optional HttpOnly flag to the CSRF Cookie.Aymeric Augustin
Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch.
2013-01-29Fixed typos in docs and commentsTim Graham
2013-01-15Fixed #19099 -- Split broken link emails out of common middleware.Aymeric Augustin
2013-01-11Fixed #19488 -- Made i18n_patterns redirect work with non-slash-ending pathsClaude Paroz
Thanks Daniel Gerzo for the report and the initial patch.
2012-12-29Removed IGNORABLE_404_STARTS/ENDS settings.Aymeric Augustin
2012-12-24Prevented caching of streaming responses.Aymeric Augustin
The test introduced in 4b278131 accidentally passed because of a limitation of Python < 3.3. Refs #17758, #7581.
2012-12-01Fixed #19347 -- Removed unused variable definition in FetchFromCacheMiddlewareClaude Paroz
Thanks gregplaysguitar at gmail.com for the report.
2012-11-03Fixed #15152 -- Avoided crash of CommonMiddleware on broken querystringAymeric Augustin
2012-10-20Fixed #7581 -- Added streaming responses.Aymeric Augustin
Thanks mrmachine and everyone else involved on this long-standing ticket.