Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

Added explicit notes about the need to update any customised template…

…s for contrib apps for CSRF changes

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit f00ad4168e6c435a2f3691854d3a4a3f78192600 1 parent f6ef3fd
@spookylukey spookylukey authored
Showing with 11 additions and 2 deletions.
  1. +6 −2 docs/ref/contrib/csrf.txt
  2. +5 −0 docs/releases/1.2-alpha.txt
8 docs/ref/contrib/csrf.txt
@@ -172,9 +172,13 @@ you will have a working installation but without any CSRF protection for your
views (just as you had before). It is strongly recommended to install
``CsrfViewMiddleware`` and ``CsrfResponseMiddleware``, as described above.
-(Note that contrib apps, such as the admin, have been updated to use the
+Note that contrib apps, such as the admin, have been updated to use the
``csrf_protect`` decorator, so that they are secured even if you do not add the
-``CsrfViewMiddleware`` to your settings).
+``CsrfViewMiddleware`` to your settings. However, if you have suuplied
+customised templates to any of the view functions of contrib apps (whether
+explicitly via a keyword argument, or by overriding built-in templates), **you
+MUST update them** to include the ``csrf_token`` template tag as described
+above, or they will stop working.
Assuming you have followed the above, all views in your Django site will now be
protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements
5 docs/releases/1.2-alpha.txt
@@ -13,6 +13,11 @@ changes that developers must be aware of:
will be removed completely in Django 1.4, in favour of a template tag that
should be inserted into forms.
+ * All contrib apps use a ``csrf_protect`` decorator to protect the view. This
+ requires the use of the csrf_token template tag in the template, so if you
+ have used custom templates for contrib views, you MUST READ THE UPGRADE
+ INSTRUCTIONS to fix those templates.
* ``CsrfViewMiddleware`` is included in :setting:`MIDDLEWARE_CLASSES` by
default. This turns on CSRF protection by default, so that views that accept
POST requests need to be written to work with the middleware. Instructions

0 comments on commit f00ad41

Please sign in to comment.
Something went wrong with that request. Please try again.