Fixed #12130 - documented need for csrf_protect on views that don't accept POST

Includes: * proper documentation for csrf_protect * notes in comments app. * specific upgrade notes for comments app Thanks to carljm for report and debugging. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11711 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-26 15:16:09 +00:00 · 2009-11-03 14:40:37 +00:00
parent 585b7acaa3
commit 53b2c3867b
3 changed files with 43 additions and 3 deletions
--- a/django/views/csrf.py
+++ b/django/views/csrf.py
@@ -39,6 +39,11 @@ CSRF_FAILRE_TEMPLATE = """
    <li>In the template, there is a <code>{% templatetag openblock %} csrf_token
    {% templatetag closeblock %}</code> template tag inside each POST form that
    targets an internal URL.</li>
+
+    <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use
+    <code>csrf_protect</code> on any views that use the <code>csrf_token</code>
+    template tag, as well as those that accept the POST data.</li>
+
  </ul>

  <p>You're seeing the help section of this page because you have <code>DEBUG =