mirror of
				https://github.com/django/django.git
				synced 2025-10-26 15:16:09 +00:00 
			
		
		
		
	Removed gender-based pronouns per [c0a2daad78].
				
					
				
			This commit is contained in:
		| @@ -133,7 +133,7 @@ class AuthenticationFormTest(TestCase): | |||||||
|                              [force_text(form.error_messages['inactive'])]) |                              [force_text(form.error_messages['inactive'])]) | ||||||
|  |  | ||||||
|     def test_custom_login_allowed_policy(self): |     def test_custom_login_allowed_policy(self): | ||||||
|         # The user is inactive, but our custom form policy allows him to log in. |         # The user is inactive, but our custom form policy allows them to log in. | ||||||
|         data = { |         data = { | ||||||
|             'username': 'inactive', |             'username': 'inactive', | ||||||
|             'password': 'password', |             'password': 'password', | ||||||
|   | |||||||
| @@ -20,8 +20,8 @@ purchase an item. A user has chosen to stay logged into the store all the time | |||||||
| for convenience. An attacker site might create an "I Like Ponies" button on one | for convenience. An attacker site might create an "I Like Ponies" button on one | ||||||
| of their own pages, and load the store's page in a transparent iframe such that | of their own pages, and load the store's page in a transparent iframe such that | ||||||
| the "Buy Now" button is invisibly overlaid on the "I Like Ponies" button. If the | the "Buy Now" button is invisibly overlaid on the "I Like Ponies" button. If the | ||||||
| user visits the attacker site and clicks "I Like Ponies" he or she will inadvertently | user visits the attacker's site, clicking "I Like Ponies" will cause an | ||||||
| click on the online store's "Buy Now" button and unknowingly purchase the item. | inadvertent click on the "Buy Now" button and an unknowing purchase of the item. | ||||||
|  |  | ||||||
| .. _clickjacking-prevention: | .. _clickjacking-prevention: | ||||||
|  |  | ||||||
|   | |||||||
| @@ -172,7 +172,7 @@ Getting the current domain for display | |||||||
|  |  | ||||||
| LJWorld.com and Lawrence.com both have email alert functionality, which lets | LJWorld.com and Lawrence.com both have email alert functionality, which lets | ||||||
| readers sign up to get notifications when news happens. It's pretty basic: A | readers sign up to get notifications when news happens. It's pretty basic: A | ||||||
| reader signs up on a Web form, and he or she immediately gets an email saying, | reader signs up on a Web form and immediately gets an email saying, | ||||||
| "Thanks for your subscription." | "Thanks for your subscription." | ||||||
|  |  | ||||||
| It'd be inefficient and redundant to implement this signup-processing code | It'd be inefficient and redundant to implement this signup-processing code | ||||||
|   | |||||||
| @@ -2468,7 +2468,7 @@ SESSION_EXPIRE_AT_BROWSER_CLOSE | |||||||
|  |  | ||||||
| Default: ``False`` | Default: ``False`` | ||||||
|  |  | ||||||
| Whether to expire the session when the user closes his or her browser. See | Whether to expire the session when the user closes their browser. See | ||||||
| :ref:`browser-length-vs-persistent-sessions`. | :ref:`browser-length-vs-persistent-sessions`. | ||||||
|  |  | ||||||
| .. setting:: SESSION_FILE_PATH | .. setting:: SESSION_FILE_PATH | ||||||
|   | |||||||
| @@ -73,8 +73,7 @@ The Django admin has long had an undocumented "feature" allowing savvy | |||||||
| users to manipulate the query string of changelist pages to filter the | users to manipulate the query string of changelist pages to filter the | ||||||
| list of objects displayed. However, this also creates a security | list of objects displayed. However, this also creates a security | ||||||
| issue, as a staff user with sufficient knowledge of model structure | issue, as a staff user with sufficient knowledge of model structure | ||||||
| could use this "feature" to gain access to information he or she would | could use this "feature" to gain access to information not normally accessible. | ||||||
| not normally have. |  | ||||||
|  |  | ||||||
| As a result, changelist filtering now explicitly validates all lookup | As a result, changelist filtering now explicitly validates all lookup | ||||||
| arguments in the query string, and permits only fields which are | arguments in the query string, and permits only fields which are | ||||||
|   | |||||||
| @@ -19,7 +19,7 @@ The security checks for these redirects (namely | |||||||
| ``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` | ``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` | ||||||
| and as such allowed ``javascript:...`` URLs to be entered. If a developer | and as such allowed ``javascript:...`` URLs to be entered. If a developer | ||||||
| relied on ``is_safe_url()`` to provide safe redirect targets and put such a | relied on ``is_safe_url()`` to provide safe redirect targets and put such a | ||||||
| URL into a link, he or she could suffer from a XSS attack. This bug doesn't affect | URL into a link, they could suffer from a XSS attack. This bug doesn't affect | ||||||
| Django currently, since we only put this URL into the ``Location`` response | Django currently, since we only put this URL into the ``Location`` response | ||||||
| header and browsers seem to ignore JavaScript there. | header and browsers seem to ignore JavaScript there. | ||||||
|  |  | ||||||
|   | |||||||
| @@ -811,7 +811,7 @@ instance: | |||||||
|  |  | ||||||
|   * Consequences: The user will see an error about the form having expired |   * Consequences: The user will see an error about the form having expired | ||||||
|     and will be sent back to the first page of the wizard, losing the data |     and will be sent back to the first page of the wizard, losing the data | ||||||
|     he or she has entered so far. |     entered so far. | ||||||
|  |  | ||||||
|   * Time period: The amount of time you expect users to take filling out the |   * Time period: The amount of time you expect users to take filling out the | ||||||
|     affected forms. |     affected forms. | ||||||
|   | |||||||
| @@ -16,7 +16,7 @@ The security checks for these redirects (namely | |||||||
| ``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` | ``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` | ||||||
| and as such allowed ``javascript:...`` URLs to be entered. If a developer | and as such allowed ``javascript:...`` URLs to be entered. If a developer | ||||||
| relied on ``is_safe_url()`` to provide safe redirect targets and put such a | relied on ``is_safe_url()`` to provide safe redirect targets and put such a | ||||||
| URL into a link, he or she could suffer from a XSS attack. This bug doesn't affect | URL into a link, they could suffer from a XSS attack. This bug doesn't affect | ||||||
| Django currently, since we only put this URL into the ``Location`` response | Django currently, since we only put this URL into the ``Location`` response | ||||||
| header and browsers seem to ignore JavaScript there. | header and browsers seem to ignore JavaScript there. | ||||||
|  |  | ||||||
|   | |||||||
| @@ -1123,10 +1123,10 @@ Controlling cache: Using other headers | |||||||
| Other problems with caching are the privacy of data and the question of where | Other problems with caching are the privacy of data and the question of where | ||||||
| data should be stored in a cascade of caches. | data should be stored in a cascade of caches. | ||||||
|  |  | ||||||
| A user usually faces two kinds of caches: his or her own browser cache (a | A user usually faces two kinds of caches: their own browser cache (a private | ||||||
| private cache) and his or her provider's cache (a public cache). A public cache | cache) and their provider's cache (a public cache). A public cache is used by | ||||||
| is used by multiple users and controlled by someone else. This poses problems | multiple users and controlled by someone else. This poses problems with | ||||||
| with sensitive data--you don't want, say, your bank account number stored in a | sensitive data--you don't want, say, your bank account number stored in a | ||||||
| public cache. So Web applications need a way to tell caches which data is | public cache. So Web applications need a way to tell caches which data is | ||||||
| private and which is public. | private and which is public. | ||||||
|  |  | ||||||
|   | |||||||
| @@ -241,7 +241,7 @@ such alias were specified, it would be the rather long ``'book__pubdate__min'``. | |||||||
|  |  | ||||||
| This doesn't apply just to foreign keys. It also works with many-to-many | This doesn't apply just to foreign keys. It also works with many-to-many | ||||||
| relations. For example, we can ask for every author, annotated with the total | relations. For example, we can ask for every author, annotated with the total | ||||||
| number of pages considering all the books he/she has (co-)authored (note how we | number of pages considering all the books the author has (co-)authored (note how we | ||||||
| use ``'book'`` to specify the ``Author`` -> ``Book`` reverse many-to-many hop):: | use ``'book'`` to specify the ``Author`` -> ``Book`` reverse many-to-many hop):: | ||||||
|  |  | ||||||
|     >>> Author.objects.annotate(total_pages=Sum('book__pages')) |     >>> Author.objects.annotate(total_pages=Sum('book__pages')) | ||||||
|   | |||||||
| @@ -166,7 +166,7 @@ and the :setting:`SECRET_KEY` setting. | |||||||
|     cookie backend might open you up to `replay attacks`_. Unlike other session |     cookie backend might open you up to `replay attacks`_. Unlike other session | ||||||
|     backends which keep a server-side record of each session and invalidate it |     backends which keep a server-side record of each session and invalidate it | ||||||
|     when a user logs out, cookie-based sessions are not invalidated when a user |     when a user logs out, cookie-based sessions are not invalidated when a user | ||||||
|     logs out. Thus if an attacker steals a user's cookie, he or she can use that |     logs out. Thus if an attacker steals a user's cookie, they can use that | ||||||
|     cookie to login as that user even if the user logs out. Cookies will only |     cookie to login as that user even if the user logs out. Cookies will only | ||||||
|     be detected as 'stale' if they are older than your |     be detected as 'stale' if they are older than your | ||||||
|     :setting:`SESSION_COOKIE_AGE`. |     :setting:`SESSION_COOKIE_AGE`. | ||||||
| @@ -590,8 +590,8 @@ log in every time they open a browser. | |||||||
|  |  | ||||||
| If :setting:`SESSION_EXPIRE_AT_BROWSER_CLOSE` is set to ``True``, Django will | If :setting:`SESSION_EXPIRE_AT_BROWSER_CLOSE` is set to ``True``, Django will | ||||||
| use browser-length cookies -- cookies that expire as soon as the user closes | use browser-length cookies -- cookies that expire as soon as the user closes | ||||||
| his or her browser. Use this if you want people to have to log in every time | their browser. Use this if you want people to have to log in every time they | ||||||
| they open a browser. | open a browser. | ||||||
|  |  | ||||||
| This setting is a global default and can be overwritten at a per-session level | This setting is a global default and can be overwritten at a per-session level | ||||||
| by explicitly calling the :meth:`~backends.base.SessionBase.set_expiry` method | by explicitly calling the :meth:`~backends.base.SessionBase.set_expiry` method | ||||||
|   | |||||||
| @@ -1579,8 +1579,8 @@ If all you want is to run Django with your native language all you need to do | |||||||
| is set :setting:`LANGUAGE_CODE` and make sure the corresponding :term:`message | is set :setting:`LANGUAGE_CODE` and make sure the corresponding :term:`message | ||||||
| files <message file>` and their compiled versions (``.mo``) exist. | files <message file>` and their compiled versions (``.mo``) exist. | ||||||
|  |  | ||||||
| If you want to let each individual user specify which language he or she | If you want to let each individual user specify which language they | ||||||
| prefers, then you also need to use use the ``LocaleMiddleware``. | prefer, then you also need to use use the ``LocaleMiddleware``. | ||||||
| ``LocaleMiddleware`` enables language selection based on data from the request. | ``LocaleMiddleware`` enables language selection based on data from the request. | ||||||
| It customizes content for each user. | It customizes content for each user. | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user