I wrote: > If you want to implement any of this, I'm not planning on working > on it for this next week, I'll get in touch when I start in case > you've made some progress.
I'm now not going to be able to implement this for the 1.1 deadline. I could review and commit if someone else implemented it, but remember that Jacob also wanted to see the patch complete with docs etc. before then, so I'm guessing this will not make 1.1 now. We would need to also ensure that all apps in contrib use the template tag, otherwise we wouldn't be able to make the new method a recommendation. This in turn will require TEMPLATE_CONTEXT_PROCESSORS to contain 'django.core.context_processors.request' (or some other method for the template tag to get hold of session id/cookies). Finally, most importantly: I think we really need CSRF protection for the admin by default for 1.1. The CSRF middleware in its current state, while not perfect, is mature enough to be on by default IMO (as you can now manually add exceptions where needed, and AJAX is automatically excluded). So I'd recommend adding it to the default MIDDLEWARE_CLASSES in global_settings, or at least the skeleton settings file created by 'manage.py startproject'. Luke -- Noise proves nothing. Often a hen who has merely laid an egg cackles as if she laid an asteroid. -- Mark Twain Luke Plant || http://lukeplant.me.uk/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---