On Mar 17, 2010, at 3:35 PM, guillermooo wrote:
> autocomplete() is executed always, regardless whether the user has
> requested completions or not. The only early exit point of
> autocomplete() is reached if DJANGO_AUTO_COMPLETE is false. Otherwise,
> sys.exit(1) returns to the console. How is th
On wo, 2010-03-17 at 11:10 -0700, Yuchen Zhou wrote:
> So does this ticket mean django now supports httponly cookies? And is
> it by default httponly?
> Or the application administrator has to turn it on?
The discussion on http://code.djangoproject.com/ticket/3304 indicates
that neither python no
Hi,
Thanks for your response!
So does this ticket mean django now supports httponly cookies? And is
it by default httponly?
Or the application administrator has to turn it on?
Best,
On Mar 17, 11:49 am, Tom Evans wrote:
> On Wed, Mar 17, 2010 at 3:42 PM, Yuchen Zhou wrote:
> > Hi,
>
> > I'm a
On Wed, Mar 17, 2010 at 3:42 PM, Yuchen Zhou wrote:
> Hi,
>
> I'm a security researcher at the University of Virginia I have been
> looking into the use and adoption of http-only cookies. My advisor is
> professor David Evans.
>
> We were surprised to discover that Django does not explicitly suppo
Hi,
I'm a security researcher at the University of Virginia I have been
looking into the use and adoption of http-only cookies. My advisor is
professor David Evans.
We were surprised to discover that Django does not explicitly supports
httponly cookie field. I have searched for some solution but
Thanks James,
I'll focus on this here and see what I can come up with.
Michael
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-develop...@googlegroups.com.
To unsubscribe from this group, send
i need to think more about russell's points before responding in full,
but i did want to briefly mention the following:
1. simply shortening the length of sessions doesn't prevent a user
with revoked access from seeing new and potentially sensitive data
created after the user's deactivation. if de
>Internally, the autocompletion is done using the
> ManagementUtility.autocomplete() method, line 264 of
> django/core/management/__init__.py.
I've taken a look the code, but there a few details that I don't
understand.
autocomplete() is executed always, regardless whether the user has
requested
On Wed, Mar 17, 2010 at 3:46 PM, Russell Keith-Magee
wrote:
> On Wed, Mar 17, 2010 at 4:53 AM, Sean Brant wrote:
>> A co-worker of mine noticed this bug today
>> http://code.djangoproject.com/ticket/13125.
>> Should it be marked for 1.2 or punt it until after the release
>> candidate? It looks t
On Wed, Mar 17, 2010 at 8:54 AM, Russell Keith-Magee
wrote:
>
> In the interim, there are two other ways you could limit your exposure
> to this problem (other than the obvious "write your own
> login_required" check):
>
> * Use a permissions check in addition to the login_required check --
> as
On Mar 15, 10:44 am, Yuri Baburov wrote:
> Hello all,
>
> How do you like the following idea:
> startproject command puts a fixture for django.contrib.sites (and
> fixture for superuser probably) to the root folder or whatever, to be
> loaded with syncdb?
> That way also encourage users to get mor
On Wed, Mar 17, 2010 at 6:30 AM, mattd wrote:
> interesting. i'm using the django-provided login form from 1.1,
> waiting for 1.2 to be released before using it.
>
> here's an example of my point: you run an internal tool for staff to
> discuss the topics of the day. a few staff are let go or othe
On Wed, Mar 17, 2010 at 4:53 AM, Sean Brant wrote:
> A co-worker of mine noticed this bug today
> http://code.djangoproject.com/ticket/13125.
> Should it be marked for 1.2 or punt it until after the release
> candidate? It looks to be a bug so it could probably go in at anytime.
> Let me know you
On Thu, Jan 21, 2010 at 1:28 PM, Gerry wrote:
> without using ModelForms? I really like the new Model validation but I
> don't
> like (nor think its very DRY) to override the save method for all of
> my models
> to just call full_clean(). It would be nice if there was someway I
> could enable
> va
On Wed, Mar 17, 2010 at 1:00 AM, orokusaki wrote:
> Actually I'm not lying. Russell hasn't given me any feedback regarding
> my idea or patch. I didn't simply reopen tickets. Russell changed my
> ticket to a documentation ticket, so I opened a new ticket to discuss
> that which he avoided in his d
15 matches
Mail list logo
