On Sat, Mar 21, 2009 at 2:25 PM, James Bennett <[email protected]>wrote:
> > On Sat, Mar 21, 2009 at 11:24 AM, Alex Gaynor <[email protected]> > wrote: > > b) Having the admin be CSRF safe by default doesn't seam like a feature, > it > > feels like a bug, even if it's implementation gives everything a new > > feature. That's just my thoughts though. > > Personally I'd much rather have it actually *be* secure (and usable), > but the current middleware just doesn't really cut it -- the method it > uses is of such narrow applicability (and potentially can be screwed > up by various other middlewares) that I don't think this is the right > way to do it. > > I'd rather see the change backed out and Luke's improvements worked on > to make sure we get something solid before this ends up in a release. > > > -- > "Bureaucrat Conrad, you are technically correct -- the best kind of > correct." > > > > I think we're agreeing here, Luke was saying he was concerned about having time to get the improvement in since the feature freeze was coming up, I was saying I don't think that needed to be a concern because fixing a possible security issue isn't a feature, it's a bug. Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." --Voltaire "The people's good is the highest law."--Cicero --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
