Hi Bruno,
On 03/14/2011 06:33 PM, Bruno Renié wrote:
> Although Django 1.3 is not released yet I'd like to take advantage of
> the pycon sprints to discuss a proposal for 1.4: render form widgets
> using Django templates instead of python code.
>
> This approach is implemented in django-floppyfor
Hi Alex,
On 03/14/2011 08:49 PM, Alexander Schepanovski wrote:
> Personally, I would like all querysets mutate not clone by default.
> And when one need a clone just make it explicitly.
This is not an option. It will break quite a lot of existing code, and
often in highly confusing ways. You'll n
Luke - I suggest taking a look at the patch, as it works exactly as
you describe (i.e. CSRF-like).
Only thing that's not in there is having the middleware in the project
template but commented out. I can add that in too.
--
You received this message because you are subscribed to the Google Group
http://code.djangoproject.com/ticket/15610
I just stumbled upon this unusual and problematic behavior, and
thought that it might be worth a discussion. Details are in the
ticket.
Regards,
Ed Gutierrez
--
You received this message because you are subscribed to the Google Groups
"Django develop
Good evening (or whatever it is in everyone's timezone).
I'm an undergrad computer science student at the Faculty of
Mathematics, Physics and Informatics, Commenius University,
Bratislava, Slovakia and I'm willing to participate in this year's
GSoc. I'm interested in fixing the six-year-old open t
I was optimizing my django app and ran into this. My app was spending
too much time cloning querysets. I looked into code but didn't find
any simple way to make it faster. But this is not needed actually. In
most use cases "a parent" of a clone is thrown out. So usually one
just need to mutate quer
Hi django devs,
Although Django 1.3 is not released yet I'd like to take advantage of
the pycon sprints to discuss a proposal for 1.4: render form widgets
using Django templates instead of python code.
This approach is implemented in django-floppyforms [0] (I'm the
author): each widget gets a tem
On Fri, Mar 11, 2011 at 1:14 PM, Simon Litchfield wrote:
> Who votes we should come up with a django-blessed 'official' default project
> layout / directory structure?
Sure -- no disagreement that it would be good to have some common
ground with regards to project layout. All we need now is to a
On 14/03/11 20:38, Paul McMillan wrote:
However, I also agree with Ryan N that this should be off by default.
If it must be on, it should use SAMEORIGIN (as the patch currently
provides) to avoid breaking existing sites.
I would suggest putting the middleware in the project template, but
leav
On Mon, 2011-03-14 at 15:57 +, Tom Evans wrote:
> This is one of my bug-bears with the current authentication system -
> it has no concept of role. The current action when an identified user
> visits the admin site is to display a login form, which is totally
> wrong in my opinion. The user ha
I agree that Django should include this functionality in core. The
header is a very useful way to discourage click-jacking in modern
browsers.
However, I also agree with Ryan N that this should be off by default.
If it must be on, it should use SAMEORIGIN (as the patch currently
provides) to avoid
Hi Vana --
This sort of thing is utterly unacceptable here. This is a technical
group dedicated to discussions of Django itself, not end-user stuff
and certainly not personal promotion. What you posted is really almost
spam, and if you've spent any time around technical folk at all you'll
know how
Check out django-startproject from lincolnloop.com
https://github.com/lincolnloop/django-startproject
Kill off all the server configs (though some of it might be cool, like
Fabric integration), and I think it'd make for a pretty good base to
work from if this were to go into core.
On Mar 13, 9:1
On Mar 12, 2011, at 12:56 PM, Jacob Kaplan-Moss wrote:
> Christophe, can you write a patch including a new warning to put in the docs?
All set: http://code.djangoproject.com/ticket/14733
--
-- Christophe Pettus
x...@thebuild.com
--
You received this message because you are subscribed to th
CEO of Bixly, Adam Temple, has learned something you probably already
know – it’s puzzling to find a company that has both high quality and
economic. Finding just one of those qualities in a company isn’t very
difficult. A group that is both? This is essentially where Bixly is
positioned. Paying fo
>
> Which might be a valid concern if your public-facing login interface
> highly protected, but your admin interface is not (for example,
> because it's only available on your protected intranet). Sure, it's
> the edgiest of edge cases and if you care enough, you should have
> applied the same sec
OTOH, I don't see a valid usage scenario not involving an admin who
has 2 accounts in the system and forgot which one was the proper one.
PS. If you're really concerned about messages from admin you should be
really outraged by _("Your e-mail address is not your username. Try
'%s' instead.")
On 14 March 2011 17:14, Rohit Sethi wrote:
> To re-iterate, you would get this message iff you have the correct
> credentials for an end user who is not an admin user. You seem to be
> referring to Response Information Discrepancy Information Exposure
> (http://cwe.mitre.org/data/definitions/204.h
To re-iterate, you would get this message iff you have the correct
credentials for an end user who is not an admin user. You seem to be
referring to Response Information Discrepancy Information Exposure
(http://cwe.mitre.org/data/definitions/204.html) which is generally
about differentiating betwee
2011/3/14 Juan Pablo Martínez :
> I dont think so.
> If I dont know the username and password I
> can also try username and password and wait for the system
> to send another different error message. then I get valid credentials.
This is one of my bug-bears with the current authentication system -
I dont think so.
If I dont know the username and password I
can also try username and password and wait for the system
to send another different error message. then I get valid credentials.
2011/3/14 artemy tregubenko
> is visible only
--
You received this message because you are subscribed to
Again: this change does not compromise security, because it's effect is
visible only *after* security is compromised: when attacker has valid
username and password for the site.
I understand that the "correct" message is another, but I do not see
why it has to amend the current when the chan
I understand that the "correct" message is another, but I do not see
why it has to amend the current when the change is more vulnerable end
up leaving the system.
To me what should be discussed now is not whether to put the correct
message or not (because that is "correct "), you should discuss
whe
before adding a new ticket I just wanted to discuss this issue:
when using template-caching it´s sometimes useful to have a variable for the
"fragement name".
e.g., I want to prefix all caching-variables with "myapp_userid", because I
need to delete alle user-related caching-variables at some po
24 matches
Mail list logo