Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed #26628 -- Changed CSRF logger to django.security.csrf #6707

Closed
wants to merge 1 commit into from
Closed

Fixed #26628 -- Changed CSRF logger to django.security.csrf #6707

wants to merge 1 commit into from

Conversation

Hwesta
Copy link
Contributor

@Hwesta Hwesta commented Jun 3, 2016

Reworded docs to include non-SuspiciousOperation security loggers. Updated CSRF tests to check logger output.

The docs looked like they are manually wrapped, and I wasn't sure if there was a way to make changes without noisy diffs.

Also, does this need to be added to patch notes, and if so which version?

@Hwesta Hwesta force-pushed the 26628-logger-change branch 3 times, most recently from d7e99bd to 35db91d Compare June 3, 2016 06:44
carljm
carljm reviewed Jun 3, 2016
View reviewed changes
django/middleware/csrf.py
@@ -151,7 +151,8 @@ def _accept(self, request):
return None

def _reject(self, request, reason):
logger.warning(
security_logger = logging.getLogger('django.security.csrf')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need the django.request logger in this module anymore; why not get this logger at module level instead, rather than every time this method is called?

@carljm
Copy link
Member

carljm commented Jun 3, 2016

I think this also deserves a mention in the 1.11 release notes as a minor change. It's possible that someone may want to adjust their logging config as a result of this change.

Besides that, flake8, and my other comment above, LGTM!

@carljm
Copy link
Member

carljm commented Jun 3, 2016

(I'm erring on the side of caution by suggesting 1.11; I wouldn't have any objection to putting this into 1.10 if someone wants to argue for that. I think it's a small low-impact change.)

timgraham
timgraham reviewed Jun 3, 2016
View reviewed changes
docs/ref/csrf.txt
@@ -211,7 +211,7 @@ The error page, however, is not very friendly, so you may want to provide your
own view for handling this condition. To do this, simply set the
:setting:`CSRF_FAILURE_VIEW` setting.

CSRF failures are logged as warnings to the :ref:`django-request-logger`
CSRF failures are logged as warnings to the :ref:`django-security-logger` ``csrf``
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use:

:ref:`django.security.csrf <django-security-logger>`

and add a .. versionchanged:: 1.11 annotation below as described at https://docs.djangoproject.com/en/dev/internals/contributing/writing-documentation/#documenting-new-features

@Hwesta
Copy link
Contributor Author

Hwesta commented Jun 3, 2016
edited

Updated for the feedback.

@Hwesta
Fixed #26628 -- Changed CSRF logger to django.security.csrf
a422d20 
Reworded docs to include non-SuspiciousOperation security loggers. Updated CSRF
tests to check logger output.
@timgraham
Copy link
Member

merged in 55fec16, thanks!

@timgraham timgraham closed this Jun 4, 2016
@carljm carljm mentioned this pull request Jun 4, 2016
Closed
@Hwesta Hwesta deleted the 26628-logger-change branch June 9, 2016 05:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@Hwesta @carljm @timgraham