Commit 9baf692a authored by Florian Apolloner's avatar Florian Apolloner Committed by Tim Graham
Browse files

Fixed #26601 -- Improved middleware per DEP 0005. 

Thanks Tim Graham for polishing the patch, updating the tests, and
writing documentation. Thanks Carl Meyer for shepherding the DEP.
parent 05c888ff

django/conf/global_settings.py

+5 −3
Original line number Diff line number Diff line
@@ -433,14 +433,16 @@ SECURE_PROXY_SSL_HEADER = None 
# MIDDLEWARE #

##############



# List of middleware classes to use.  Order is important; in the request phase,

# this middleware classes will be applied in the order given, and in the

# response phase the middleware will be applied in reverse order.

# List of middleware to use. Order is important; in the request phase, these

# middleware will be applied in the order given, and in the response

# phase the middleware will be applied in reverse order.

MIDDLEWARE_CLASSES = [

    'django.middleware.common.CommonMiddleware',

    'django.middleware.csrf.CsrfViewMiddleware',

]



MIDDLEWARE = None



############

# SESSIONS #

############

django/conf/project_template/project_name/settings.py-tpl

+1 −1
Original line number Diff line number Diff line
@@ -39,7 +39,7 @@ INSTALLED_APPS = [ 
    'django.contrib.staticfiles',

]



MIDDLEWARE_CLASSES = [

MIDDLEWARE = [

    'django.middleware.security.SecurityMiddleware',

    'django.contrib.sessions.middleware.SessionMiddleware',

    'django.middleware.common.CommonMiddleware',

django/contrib/admin/tests.py

+3 −4
Original line number Diff line number Diff line 
from django.contrib.staticfiles.testing import StaticLiveServerTestCase

from django.test import modify_settings

from django.test.selenium import SeleniumTestCase

from django.utils.deprecation import MiddlewareMixin

from django.utils.translation import ugettext as _





class CSPMiddleware(object):

class CSPMiddleware(MiddlewareMixin):

    """The admin's JavaScript should be compatible with CSP."""

    def process_response(self, request, response):

        response['Content-Security-Policy'] = "default-src 'self'"

        return response





@modify_settings(

    MIDDLEWARE_CLASSES={'append': 'django.contrib.admin.tests.CSPMiddleware'},

)

@modify_settings(MIDDLEWARE={'append': 'django.contrib.admin.tests.CSPMiddleware'})

class AdminSeleniumTestCase(SeleniumTestCase, StaticLiveServerTestCase):



    available_apps = [

django/contrib/admindocs/middleware.py

+7 −3
Original line number Diff line number Diff line 
from django import http

from django.conf import settings

from django.utils.deprecation import MiddlewareMixin





class XViewMiddleware(object):

class XViewMiddleware(MiddlewareMixin):

    """

    Adds an X-View header to internal HEAD requests -- used by the documentation system.

    """
@@ -15,8 +16,11 @@ class XViewMiddleware(object): 
        """

        assert hasattr(request, 'user'), (

            "The XView middleware requires authentication middleware to be "

            "installed. Edit your MIDDLEWARE_CLASSES setting to insert "

            "'django.contrib.auth.middleware.AuthenticationMiddleware'.")

            "installed. Edit your MIDDLEWARE%s setting to insert "

            "'django.contrib.auth.middleware.AuthenticationMiddleware'." % (

                "_CLASSES" if settings.MIDDLEWARE is None else ""

            )

        )

        if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or

                                         (request.user.is_active and request.user.is_staff)):

            response = http.HttpResponse()

django/contrib/auth/middleware.py

+8 −6
Original line number Diff line number Diff line 
from django.conf import settings

from django.contrib import auth

from django.contrib.auth import load_backend

from django.contrib.auth.backends import RemoteUserBackend

from django.core.exceptions import ImproperlyConfigured

from django.utils.deprecation import MiddlewareMixin

from django.utils.functional import SimpleLazyObject
@@ -11,18 +13,18 @@ def get_user(request): 
    return request._cached_user





class AuthenticationMiddleware(object):

class AuthenticationMiddleware(MiddlewareMixin):

    def process_request(self, request):

        assert hasattr(request, 'session'), (

            "The Django authentication middleware requires session middleware "

            "to be installed. Edit your MIDDLEWARE_CLASSES setting to insert "

            "to be installed. Edit your MIDDLEWARE%s setting to insert "

            "'django.contrib.sessions.middleware.SessionMiddleware' before "

            "'django.contrib.auth.middleware.AuthenticationMiddleware'."

        )

        ) % ("_CLASSES" if settings.MIDDLEWARE is None else "")

        request.user = SimpleLazyObject(lambda: get_user(request))





class SessionAuthenticationMiddleware(object):

class SessionAuthenticationMiddleware(MiddlewareMixin):

    """

    Formerly, a middleware for invalidating a user's sessions that don't

    correspond to the user's current session authentication hash. However, it
@@ -35,7 +37,7 @@ class SessionAuthenticationMiddleware(object): 
        pass





class RemoteUserMiddleware(object):

class RemoteUserMiddleware(MiddlewareMixin):

    """

    Middleware for utilizing Web-server-provided authentication.
@@ -61,7 +63,7 @@ class RemoteUserMiddleware(object): 
            raise ImproperlyConfigured(

                "The Django remote user auth middleware requires the"

                " authentication middleware to be installed.  Edit your"

                " MIDDLEWARE_CLASSES setting to insert"

                " MIDDLEWARE setting to insert"

                " 'django.contrib.auth.middleware.AuthenticationMiddleware'"

                " before the RemoteUserMiddleware class.")

        try: