I wrote:
> If you want to implement any of this, I'm not planning on working
> on it for this next week, I'll get in touch when I start in case
> you've made some progress.
I'm now not going to be able to implement this for the 1.1 deadline.
I could review and commit if someone else implemented it, but
remember that Jacob also wanted to see the patch complete with docs
etc. before then, so I'm guessing this will not make 1.1 now.
We would need to also ensure that all apps in contrib use the template
tag, otherwise we wouldn't be able to make the new method a
recommendation. This in turn will require
TEMPLATE_CONTEXT_PROCESSORS to
contain 'django.core.context_processors.request' (or some other
method for the template tag to get hold of session id/cookies).
Finally, most importantly:
I think we really need CSRF protection for the admin by default for
1.1. The CSRF middleware in its current state, while not perfect, is
mature enough to be on by default IMO (as you can now manually add
exceptions where needed, and AJAX is automatically excluded). So I'd
recommend adding it to the default MIDDLEWARE_CLASSES in
global_settings, or at least the skeleton settings file created
by 'manage.py startproject'.
Luke
--
Noise proves nothing. Often a hen who has merely laid an egg cackles
as if she laid an asteroid.
-- Mark Twain
Luke Plant || http://lukeplant.me.uk/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
