Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #8092, #3828 -- Removed dictionary access for request objects s…

…o that GET and POST data doesn't "overwrite" request attributes when used in templates (since dictionary lookup is performed before attribute lookup). This is backwards-incompatible if you were using the request object for dictionary access to the combined GET and POST data, but you should use `request.REQUEST` for that instead.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@8202 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit daa6b38f352447a5afed3184f4ffffd0d6b1f1de 1 parent 71b2e01
@gdub gdub authored
View
11 django/http/__init__.py
@@ -39,17 +39,6 @@ def __repr__(self):
(pformat(self.GET), pformat(self.POST), pformat(self.COOKIES),
pformat(self.META))
- def __getitem__(self, key):
- for d in (self.POST, self.GET):
- if key in d:
- return d[key]
- raise KeyError, "%s not found in either POST or GET" % key
-
- def has_key(self, key):
- return key in self.GET or key in self.POST
-
- __contains__ = has_key
-
def get_host(self):
"""Returns the HTTP host using the environment or request headers."""
# We try three options, in order of decreasing preference.
View
12 docs/request_response.txt
@@ -170,18 +170,6 @@ All attributes except ``session`` should be considered read-only.
Methods
-------
-``__getitem__(key)``
- Returns the GET/POST value for the given key, checking POST first, then
- GET. Raises ``KeyError`` if the key doesn't exist.
-
- This lets you use dictionary-accessing syntax on an ``HttpRequest``
- instance. Example: ``request["foo"]`` would return ``True`` if either
- ``request.POST`` or ``request.GET`` had a ``"foo"`` key.
-
-``has_key()``
- Returns ``True`` or ``False``, designating whether ``request.GET`` or
- ``request.POST`` has the given key.
-
``get_host()``
**New in Django development version**
View
0  tests/regressiontests/context_processors/__init__.py
No changes.
View
1  tests/regressiontests/context_processors/models.py
@@ -0,0 +1 @@
+# Models file for tests to run.
View
13 tests/regressiontests/context_processors/templates/context_processors/request_attrs.html
@@ -0,0 +1,13 @@
+{% if request %}
+Have request
+{% else %}
+No request
+{% endif %}
+
+{% if request.is_secure %}
+Secure
+{% else %}
+Not secure
+{% endif %}
+
+{{ request.path }}
View
38 tests/regressiontests/context_processors/tests.py
@@ -0,0 +1,38 @@
+"""
+Tests for Django's bundled context processors.
+"""
+
+from django.conf import settings
+from django.test import TestCase
+
+
+class RequestContextProcessorTests(TestCase):
+ """
+ Tests for the ``django.core.context_processors.request`` processor.
+ """
+
+ urls = 'regressiontests.context_processors.urls'
+
+ def test_request_attributes(self):
+ """
+ Test that the request object is available in the template and that its
+ attributes can't be overridden by GET and POST parameters (#3828).
+ """
+ url = '/request_attrs/'
+ # We should have the request object in the template.
+ response = self.client.get(url)
+ self.assertContains(response, 'Have request')
+ # Test is_secure.
+ response = self.client.get(url)
+ self.assertContains(response, 'Not secure')
+ response = self.client.get(url, {'is_secure': 'blah'})
+ self.assertContains(response, 'Not secure')
+ response = self.client.post(url, {'is_secure': 'blah'})
+ self.assertContains(response, 'Not secure')
+ # Test path.
+ response = self.client.get(url)
+ self.assertContains(response, url)
+ response = self.client.get(url, {'path': '/blah/'})
+ self.assertContains(response, url)
+ response = self.client.post(url, {'path': '/blah/'})
+ self.assertContains(response, url)
View
8 tests/regressiontests/context_processors/urls.py
@@ -0,0 +1,8 @@
+from django.conf.urls.defaults import *
+
+import views
+
+
+urlpatterns = patterns('',
+ (r'^request_attrs/$', views.request_processor),
+)
View
8 tests/regressiontests/context_processors/views.py
@@ -0,0 +1,8 @@
+from django.core import context_processors
+from django.shortcuts import render_to_response
+from django.template.context import RequestContext
+
+
+def request_processor(request):
+ return render_to_response('context_processors/request_attrs.html',
+ RequestContext(request, {}, processors=[context_processors.request]))

0 comments on commit daa6b38

Please sign in to comment.
Something went wrong with that request. Please try again.