Allow CsrfResponseMiddleware to be used if templates cannot be updated.

For the case where someone is using contrib views with custom templates that they cannot update to use the template tag, it should be possible to use CsrfResponseMiddleware. This requires that 'csrf_response_exempt' is not used for the admin views. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11683 bcc190cf-cafb-0310-a4f2-bffc1f526a37

Allow CsrfResponseMiddleware to be used if templates cannot be updated.
For the case where someone is using contrib views with custom templates that they cannot update to use the template tag, it should be possible to use CsrfResponseMiddleware. This requires that 'csrf_response_exempt' is not used for the admin views. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11683 bcc190cf-cafb-0310-a4f2-bffc1f526a37
5a0aab41 · Luke Plant · 96658ef2 · 5a0aab41 · 5a0aab41
Kaydet (Commit) 5a0aab41 authored Eki 30, 2009 tarafından Luke Plant
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 3 deletions

sites.py django/contrib/admin/sites.py +2 -2

csrf.txt docs/ref/contrib/csrf.txt +3 -1

No files found.
--- a/django/contrib/admin/sites.py
+++ b/django/contrib/admin/sites.py
@@ -3,7 +3,7 @@ from django import http, template
 from django.contrib.admin import ModelAdmin
 from django.contrib.admin import actions
 from django.contrib.auth import authenticate, login
-from django.views.decorators.csrf import csrf_protect, csrf_response_exempt
+from django.views.decorators.csrf import csrf_protect
 from django.db.models.base import ModelBase
 from django.core.exceptions import ImproperlyConfigured
 from django.core.urlresolvers import reverse
@@ -189,7 +189,7 @@ class AdminSite(object):
            inner = never_cache(inner)
        # We add csrf_protect here so this function can be used as a utility
        # function for any view, without having to repeat 'csrf_protect'.
-        inner = csrf_response_exempt(csrf_protect(inner))
+        inner = csrf_protect(inner)
        return update_wrapper(inner, view)

    def get_urls(self):

--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@@ -178,7 +178,9 @@ Note that contrib apps, such as the admin, have been updated to use the
 customised templates to any of the view functions of contrib apps (whether
 explicitly via a keyword argument, or by overriding built-in templates), **you
 MUST update them** to include the ``csrf_token`` template tag as described
-above, or they will stop working.
+above, or they will stop working.  (If you cannot update these templates for
+some reason, you will be forced to use ``CsrfResponseMiddleware`` for these
+views to continue working).

 Assuming you have followed the above, all views in your Django site will now be
 protected by the ``CsrfViewMiddleware``.  Contrib apps meet the requirements