Permalink
Browse files

Added explicit notes about the need to update any customised template…

…s for contrib apps for CSRF changes

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11667 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
1 parent f6ef3fd commit f00ad4168e6c435a2f3691854d3a4a3f78192600 @spookylukey spookylukey committed Oct 27, 2009
Showing with 11 additions and 2 deletions.
  1. +6 −2 docs/ref/contrib/csrf.txt
  2. +5 −0 docs/releases/1.2-alpha.txt
@@ -172,9 +172,13 @@ you will have a working installation but without any CSRF protection for your
views (just as you had before). It is strongly recommended to install
``CsrfViewMiddleware`` and ``CsrfResponseMiddleware``, as described above.
-(Note that contrib apps, such as the admin, have been updated to use the
+Note that contrib apps, such as the admin, have been updated to use the
``csrf_protect`` decorator, so that they are secured even if you do not add the
-``CsrfViewMiddleware`` to your settings).
+``CsrfViewMiddleware`` to your settings. However, if you have suuplied
+customised templates to any of the view functions of contrib apps (whether
+explicitly via a keyword argument, or by overriding built-in templates), **you
+MUST update them** to include the ``csrf_token`` template tag as described
+above, or they will stop working.
Assuming you have followed the above, all views in your Django site will now be
protected by the ``CsrfViewMiddleware``. Contrib apps meet the requirements
@@ -13,6 +13,11 @@ changes that developers must be aware of:
will be removed completely in Django 1.4, in favour of a template tag that
should be inserted into forms.
+ * All contrib apps use a ``csrf_protect`` decorator to protect the view. This
+ requires the use of the csrf_token template tag in the template, so if you
+ have used custom templates for contrib views, you MUST READ THE UPGRADE
+ INSTRUCTIONS to fix those templates.
+
* ``CsrfViewMiddleware`` is included in :setting:`MIDDLEWARE_CLASSES` by
default. This turns on CSRF protection by default, so that views that accept
POST requests need to be written to work with the middleware. Instructions

0 comments on commit f00ad41

Please sign in to comment.