Fixed #16384: warn against accessing request.POST/REQUEST in middleware.

Thanks, Tom Christie. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16734 bcc190cf-cafb-0310-a4f2-bffc1f526a37

Fixed #16384: warn against accessing request.POST/REQUEST in middleware.
Thanks, Tom Christie. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16734 bcc190cf-cafb-0310-a4f2-bffc1f526a37
0b174ccf · Jacob Kaplan-Moss · d036b871 · 0b174ccf · 0b174ccf · 0b174ccf
Kaydet (Commit) 0b174ccf authored Eyl 09, 2011 tarafından Jacob Kaplan-Moss
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 0 deletions

AUTHORS AUTHORS +1 -0

file-uploads.txt docs/topics/http/file-uploads.txt +2 -0

middleware.txt docs/topics/http/middleware.txt +15 -0

No files found.
--- a/AUTHORS
+++ b/AUTHORS
@@ -120,6 +120,7 @@ answer newbie questions, and generally made Django that much better:
    Sengtha Chay <sengtha@e-khmer.com>
    ivan.chelubeev@gmail.com
    Bryan Chow <bryan at verdjn dot com>
+    Tom Christie <tom@tomchristie.com>
    Antonis Christofides <anthony@itia.ntua.gr>
    Michal Chruszcz <troll@pld-linux.org>
    Can Burak Çilingir <canburak@cs.bilgi.edu.tr>

--- a/docs/topics/http/file-uploads.txt
+++ b/docs/topics/http/file-uploads.txt
@@ -238,6 +238,8 @@ could, for example, use custom handlers to enforce user-level quotas, compress
 data on the fly, render progress bars, and even send data to another storage
 location directly without storing it locally.

+.. _modifying_upload_handlers_on_the_fly:
+
 Modifying upload handlers on the fly
 ------------------------------------


--- a/docs/topics/http/middleware.txt
+++ b/docs/topics/http/middleware.txt
@@ -97,6 +97,21 @@ calling ANY other request, view or exception middleware, or the appropriate
 view; it'll return that :class:`~django.http.HttpResponse`. Response
 middleware is always called on every response.

+.. note::
+    Accessing :attr:`request.POST <django.http.HttpRequest.POST>` or 
+    :attr:`request.REQUEST <django.http.HttpRequest.REQUEST>` inside 
+    middleware from ``process_request`` or ``process_view`` will prevent any
+    view running after the middleware from being able to
+    :ref:`modify the upload handlers for the 
+    request <modifying_upload_handlers_on_the_fly>`, and should normally be
+    avoided.
+
+    The :class:`~django.middleware.csrf.CsrfViewMiddleware` class can be
+    considered an exception, as it provides the
+    :func:`~django.views.decorators.csrf.csrf_exempt` and
+    :func:`~django.views.decorators.csrf.csrf_protect` decorators which allow
+    views to explicitly control at what point the CSRF validation should occur.
+
 .. _template-response-middleware:

 ``process_template_response``