Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #16384: warn against accessing request.POST/REQUEST in middleware.

Thanks, Tom Christie.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16734 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 0b174ccf0ef99b9ee887890fc5c7ac0c7a845720 1 parent d036b87
Jacob Kaplan-Moss authored
1  AUTHORS
@@ -120,6 +120,7 @@ answer newbie questions, and generally made Django that much better:
120 120
     Sengtha Chay <sengtha@e-khmer.com>
121 121
     ivan.chelubeev@gmail.com
122 122
     Bryan Chow <bryan at verdjn dot com>
  123
+    Tom Christie <tom@tomchristie.com>
123 124
     Antonis Christofides <anthony@itia.ntua.gr>
124 125
     Michal Chruszcz <troll@pld-linux.org>
125 126
     Can Burak Çilingir <canburak@cs.bilgi.edu.tr>
2  docs/topics/http/file-uploads.txt
@@ -238,6 +238,8 @@ could, for example, use custom handlers to enforce user-level quotas, compress
238 238
 data on the fly, render progress bars, and even send data to another storage
239 239
 location directly without storing it locally.
240 240
 
  241
+.. _modifying_upload_handlers_on_the_fly:
  242
+
241 243
 Modifying upload handlers on the fly
242 244
 ------------------------------------
243 245
 
15  docs/topics/http/middleware.txt
@@ -97,6 +97,21 @@ calling ANY other request, view or exception middleware, or the appropriate
97 97
 view; it'll return that :class:`~django.http.HttpResponse`. Response
98 98
 middleware is always called on every response.
99 99
 
  100
+.. note::
  101
+    Accessing :attr:`request.POST <django.http.HttpRequest.POST>` or 
  102
+    :attr:`request.REQUEST <django.http.HttpRequest.REQUEST>` inside 
  103
+    middleware from ``process_request`` or ``process_view`` will prevent any
  104
+    view running after the middleware from being able to
  105
+    :ref:`modify the upload handlers for the 
  106
+    request <modifying_upload_handlers_on_the_fly>`, and should normally be
  107
+    avoided.
  108
+
  109
+    The :class:`~django.middleware.csrf.CsrfViewMiddleware` class can be
  110
+    considered an exception, as it provides the
  111
+    :func:`~django.views.decorators.csrf.csrf_exempt` and
  112
+    :func:`~django.views.decorators.csrf.csrf_protect` decorators which allow
  113
+    views to explicitly control at what point the CSRF validation should occur.
  114
+
100 115
 .. _template-response-middleware:
101 116
 
102 117
 ``process_template_response``

0 notes on commit 0b174cc

Please sign in to comment.
Something went wrong with that request. Please try again.