From 89ea98ca5666c0d42b3ab77fcc48f9636dde88f1 Mon Sep 17 00:00:00 2001
From: Luke Plant <L.Plant.98@cantab.net>
Date: Wed, 29 Sep 2010 16:35:34 +0000
Subject: [PATCH] Fixed #14182 - documented how to modify upload handlers when
 using CsrfViewMiddleware

Thanks to dc for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@13960 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 docs/topics/http/file-uploads.txt | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/docs/topics/http/file-uploads.txt b/docs/topics/http/file-uploads.txt
index 6b0a4d5722..c505cac7ee 100644
--- a/docs/topics/http/file-uploads.txt
+++ b/docs/topics/http/file-uploads.txt
@@ -270,6 +270,30 @@ list::
     Thus, you should always modify uploading handlers as early in your view as
     possible.
 
+    Also, ``request.POST`` is accessed by
+    :class:`~django.middleware.csrf.CsrfViewMiddleware` which is enabled by
+    default. This means you will probably need to use
+    :func:`~django.views.decorators.csrf.csrf_exempt` on your view to allow you
+    to change the upload handlers. Assuming you do need CSRF protection, you
+    will then need to use :func:`~django.views.decorators.csrf.csrf_protect` on
+    the function that actually processes the request.  Note that this means that
+    the handlers may start receiving the file upload before the CSRF checks have
+    been done. Example code:
+
+    .. code-block:: python
+
+        from django.views.decorators.csrf import csrf_exempt, csrf_protect
+
+        @csrf_exempt
+        def upload_file_view(request):
+            request.upload_handlers.insert(0, ProgressBarUploadHandler())
+            return _upload_file_view(request)
+
+        @csrf_protect
+        def _upload_file_view(request):
+            ... # Process request
+
+
 Writing custom upload handlers
 ------------------------------