Added explicit notes about the need to update any customised template…

…s for contrib apps for CSRF changes

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11667 bcc190cf-cafb-0310-a4f2-bffc1f526a37

docs/ref/contrib/csrf.txt

@@ -172,9 +172,13 @@ you will have a working installation but without any CSRF protection for your
 views (just as you had before). It is strongly recommended to install
 ``CsrfViewMiddleware`` and ``CsrfResponseMiddleware``, as described above.
 
-(Note that contrib apps, such as the admin, have been updated to use the
+Note that contrib apps, such as the admin, have been updated to use the
 ``csrf_protect`` decorator, so that they are secured even if you do not add the
-``CsrfViewMiddleware`` to your settings).
+``CsrfViewMiddleware`` to your settings.  However, if you have suuplied
+customised templates to any of the view functions of contrib apps (whether
+explicitly via a keyword argument, or by overriding built-in templates), **you
+MUST update them** to include the ``csrf_token`` template tag as described
+above, or they will stop working.
 
 Assuming you have followed the above, all views in your Django site will now be
 protected by the ``CsrfViewMiddleware``.  Contrib apps meet the requirements

docs/releases/1.2-alpha.txt

@@ -13,6 +13,11 @@ changes that developers must be aware of:
    will be removed completely in Django 1.4, in favour of a template tag that
    should be inserted into forms.
 
+ * All contrib apps use a ``csrf_protect`` decorator to protect the view.  This
+   requires the use of the csrf_token template tag in the template, so if you
+   have used custom templates for contrib views, you MUST READ THE UPGRADE
+   INSTRUCTIONS to fix those templates.
+
  * ``CsrfViewMiddleware`` is included in :setting:`MIDDLEWARE_CLASSES` by
    default. This turns on CSRF protection by default, so that views that accept
    POST requests need to be written to work with the middleware.  Instructions