On Sat, Mar 21, 2009 at 12:20 PM, Luke Plant <[email protected]> wrote:
> > Hi Adrian, > > On Saturday 21 March 2009 01:47:08 Adrian Holovaty wrote: > > > I've been traveling since Tuesday, and, shall we say, I'm not that > > excited about this being in the default middleware. In fact, I'm +1 > > for reverting this change and might even want to exercise the > > benevolent dictator veto on it, frankly. > > > > My reasoning: it's more overhead for every request, and it's a > > clunky implementation. I mean, parsing the HTML of every page with > > a regex? Come on. > > > > We ought to be making Django *faster*, not adding little pieces to > > it, bit by bit, until it gets bloated. > > > > And to raise a bit of bureaucracy in the process: there's something > > particularly Big And Important about changing anything in the > > global settings file -- whether it's adding a new setting, or > > changing a setting as fundamental as MIDDLEWARE_CLASSES -- so in > > the future I would ask that any such changes be given more > > discussion (and signoffs by committers) before a quick commit. In > > fact, it should be entirely opt-in, not opt-out. "Please let me > > know by Thursday evening (GMT) if there are objections" is not > > acceptable, IMO. > > My apologies. I thought that most people were already using this > middleware, and given that this is a security bug (#510) which you > closed nearly three years ago solely on the basis of this middleware > being used, I didn't realise changing this default was so contentious. > But I certainly should have approached getting support for the > proposal differently. I'm happy to revert it myself, I'm in no way > emotionally attached to it! > > On the other hand, I think I could give most of Monday to implementing > the template tag and fixing up the admin app to use it, eliminating > the need for the (more) contentious part of this commit. That's past > the deadline for the beta, though (the reason for my hasty commit in > the first place), and it would still need review from other people > before it goes in. > > Regards, > > Luke > > -- > OSBORN'S LAW > Variables won't, constants aren't. > > Luke Plant || http://lukeplant.me.uk/ > > > > > a) The beta was pushed back to monday at noonish. b) Having the admin be CSRF safe by default doesn't seam like a feature, it feels like a bug, even if it's implementation gives everything a new feature. That's just my thoughts though. Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." --Voltaire "The people's good is the highest law."--Cicero --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
