Permalink
Browse files

Fixed #15637 -- Added a require_safe decorator for views to accept GE…

…T or HEAD. Thanks, aaugustin and Julien.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16115 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
jezdez committed Apr 28, 2011
1 parent 013ce8a commit 086ab44336cd919ae6a90950f436e71b85d174a6
Showing with 65 additions and 24 deletions.
  1. +3 −0 django/views/decorators/http.py
  2. +38 −22 docs/topics/http/decorators.txt
  3. +24 −2 tests/regressiontests/decorators/tests.py
@@ -48,6 +48,9 @@ def inner(request, *args, **kwargs):
require_POST = require_http_methods(["POST"])
require_POST.__doc__ = "Decorator to require that a view only accept the POST method."
require_safe = require_http_methods(["GET", "HEAD"])
require_safe.__doc__ = "Decorator to require that a view only accept safe methods: GET and HEAD."
def condition(etag_func=None, last_modified_func=None):
"""
Decorator to support conditional retrieval (or change) for a view
@@ -10,31 +10,47 @@ various HTTP features.
Allowed HTTP methods
====================
The following decorators in :mod:`django.views.decorators.http` can be used to
restrict access to views based on the request method.
The decorators in :mod:`django.views.decorators.http` can be used to restrict
access to views based on the request method.
.. function:: require_http_methods(request_method_list)
This decorator is used to ensure that a view only accepts particular request
methods. Usage::
Decorator to require that a view only accept particular request
methods. Usage::
from django.views.decorators.http import require_http_methods
from django.views.decorators.http import require_http_methods
@require_http_methods(["GET", "POST"])
def my_view(request):
# I can assume now that only GET or POST requests make it this far
# ...
pass
@require_http_methods(["GET", "POST"])
def my_view(request):
# I can assume now that only GET or POST requests make it this far
# ...
pass
Note that request methods should be in uppercase.
Note that request methods should be in uppercase.
.. function:: require_GET()
Decorator to require that a view only accept the GET method.
Decorator to require that a view only accept the GET method.
.. function:: require_POST()
Decorator to require that a view only accept the POST method.
Decorator to require that a view only accept the POST method.
.. function:: require_safe()
.. versionadded:: 1.4
Decorator to require that a view only accept the GET and HEAD methods.
These methods are commonly considered "safe" because they should not have
the significance of taking an action other than retrieving the requested
resource.
.. note::
Django will automatically strip the content of responses to HEAD
requests while leaving the headers unchanged, so you may handle HEAD
requests exactly like GET requests in your views. Since some software,
such as link checkers, rely on HEAD requests, you might prefer
using ``require_safe`` instead of ``require_GET``.
Conditional view processing
===========================
@@ -48,9 +64,9 @@ control caching behavior on particular views.
.. function:: last_modified(last_modified_func)
These decorators can be used to generate ``ETag`` and ``Last-Modified``
headers; see
:doc:`conditional view processing </topics/conditional-view-processing>`.
These decorators can be used to generate ``ETag`` and ``Last-Modified``
headers; see
:doc:`conditional view processing </topics/conditional-view-processing>`.
.. module:: django.views.decorators.gzip
@@ -62,9 +78,9 @@ compression on a per-view basis.
.. function:: gzip_page()
This decorator compresses content if the browser allows gzip compression.
It sets the ``Vary`` header accordingly, so that caches will base their
storage on the ``Accept-Encoding`` header.
This decorator compresses content if the browser allows gzip compression.
It sets the ``Vary`` header accordingly, so that caches will base their
storage on the ``Accept-Encoding`` header.
.. module:: django.views.decorators.vary
@@ -78,7 +94,7 @@ caching based on specific request headers.
.. function:: vary_on_headers(*headers)
The ``Vary`` header defines which request headers a cache mechanism should take
into account when building its cache key.
The ``Vary`` header defines which request headers a cache mechanism should take
into account when building its cache key.
See :ref:`using vary headers <using-vary-headers>`.
See :ref:`using vary headers <using-vary-headers>`.
@@ -2,11 +2,11 @@
from django.contrib.auth.decorators import login_required, permission_required, user_passes_test
from django.contrib.admin.views.decorators import staff_member_required
from django.http import HttpResponse, HttpRequest
from django.http import HttpResponse, HttpRequest, HttpResponseNotAllowed
from django.utils.decorators import method_decorator
from django.utils.functional import allow_lazy, lazy, memoize
from django.utils.unittest import TestCase
from django.views.decorators.http import require_http_methods, require_GET, require_POST
from django.views.decorators.http import require_http_methods, require_GET, require_POST, require_safe
from django.views.decorators.vary import vary_on_headers, vary_on_cookie
from django.views.decorators.cache import cache_page, never_cache, cache_control
@@ -20,6 +20,7 @@ def fully_decorated(request):
fully_decorated = require_http_methods(["GET"])(fully_decorated)
fully_decorated = require_GET(fully_decorated)
fully_decorated = require_POST(fully_decorated)
fully_decorated = require_safe(fully_decorated)
# django.views.decorators.vary
fully_decorated = vary_on_headers('Accept-language')(fully_decorated)
@@ -111,6 +112,27 @@ def my_view(request):
my_view_cached4 = cache_page()(my_view)
self.assertEqual(my_view_cached4(HttpRequest()), "response")
def test_require_safe_accepts_only_safe_methods(self):
"""
Test for the require_safe decorator.
A view returns either a response or an exception.
Refs #15637.
"""
def my_view(request):
return HttpResponse("OK")
my_safe_view = require_safe(my_view)
request = HttpRequest()
request.method = 'GET'
self.assertTrue(isinstance(my_safe_view(request), HttpResponse))
request.method = 'HEAD'
self.assertTrue(isinstance(my_safe_view(request), HttpResponse))
request.method = 'POST'
self.assertTrue(isinstance(my_safe_view(request), HttpResponseNotAllowed))
request.method = 'PUT'
self.assertTrue(isinstance(my_safe_view(request), HttpResponseNotAllowed))
request.method = 'DELETE'
self.assertTrue(isinstance(my_safe_view(request), HttpResponseNotAllowed))
# For testing method_decorator, a decorator that assumes a single argument.
# We will get type arguments if there is a mismatch in the number of arguments.

0 comments on commit 086ab44

Please sign in to comment.