Ticket #11416: 11416-never-cache-admin-views.diff

django/contrib/admin/options.py

@@ -5 +5 @@
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.admin import widgets
 from django.contrib.admin import helpers
-from django.contrib.admin.util import unquote, flatten_fieldsets, get_deleted_objects, model_ngettext, model_format_dict
+from django.contrib.admin.util import unquote, flatten_fieldsets, get_deleted_objects, model_format_dict
 from django.core.exceptions import PermissionDenied
 from django.db import models, transaction
 from django.db.models.fields import BLANK_CHOICE_DASH
@@ -18 +18 @@
 from django.utils.functional import curry
 from django.utils.text import capfirst, get_text_list
 from django.utils.translation import ugettext as _
-from django.utils.translation import ungettext, ugettext_lazy
+from django.utils.translation import ungettext
 from django.utils.encoding import force_unicode
+from django.views.decorators.cache import never_cache
 try:
     set
 except NameError:
@@ -224 +225 @@
         def wrap(view):
             def wrapper(*args, **kwargs):
                 return self.admin_site.admin_view(view)(*args, **kwargs)
-            return update_wrapper(wrapper, view)
+            return never_cache(update_wrapper(wrapper, view))
 
         info = self.admin_site.name, self.model._meta.app_label, self.model._meta.module_name
 

django/contrib/admin/sites.py

@@ -12 +12 @@
 from django.utils.translation import ugettext_lazy, ugettext as _
 from django.views.decorators.cache import never_cache
 from django.conf import settings
-try:
-    set
-except NameError:
-    from sets import Set as set     # Python 2.3 fallback
 
 ERROR_MESSAGE = ugettext_lazy("Please enter a correct username and password. Note that both fields are case-sensitive.")
 LOGIN_FORM_KEY = 'this_is_the_login_form'
@@ -114 +110 @@
         name = name or action.__name__
         self._actions[name] = action
         self._global_actions[name] = action
-        
+
     def disable_action(self, name):
         """
         Disable a globally-registered action. Raises KeyError for invalid names.
         """
         del self._actions[name]
-        
+
     def get_action(self, name):
         """
         Explicitally get a registered global action wheather it's enabled or
         not. Raises KeyError for invalid names.
         """
         return self._global_actions[name]
-    
+
     def actions(self):
         """
         Get all the enabled actions as an iterable of (name, func).
@@ -182 +178 @@
             if not self.has_permission(request):
                 return self.login(request)
             return view(request, *args, **kwargs)
-        return update_wrapper(inner, view)
+        return never_cache(update_wrapper(inner, view))
 
     def get_urls(self):
         from django.conf.urls.defaults import patterns, url, include

docs/ref/contrib/admin/index.txt

@@ -757 +757 @@
 
 .. note::
 
-    Notice that the custom patterns are included *before* the regular admin
+    Note how we included our custom patterns *before* the regular admin
     URLs: the admin URL patterns are very permissive and will match nearly
     anything, so you'll usually want to prepend your custom URLs to the built-in
     ones.
 
-Note, however, that the ``self.my_view`` function registered above will *not*
-have any permission check done; it'll be accessible to the general public. Since
-this is usually not what you want, Django provides a convience wrapper to check
-permissions. This wrapper is :meth:`AdminSite.admin_view` (i.e.
-``self.admin_site.admin_view`` inside a ``ModelAdmin`` instance); use it like
-so::
+However, the ``self.my_view`` function registered above suffers from two
+problems:
+
+  * It will *not* have any permission check done; it'll be accessible to the
+    general public.
+  * It is not being marked as a non-cacheable and so, if it gets data from the
+    database, it could show outdated information because of content caching being
+    applied when the caching middleware is active.
+
+Since this is usually not what you want, Django provides a convenience wrapper
+to check permissions and mark the view as non-cacheable. This wrapper is
+:meth:`AdminSite.admin_view` (i.e.  ``self.admin_site.admin_view`` inside a
+``ModelAdmin`` instance); use it like so::
 
     class MyModelAdmin(admin.ModelAdmin):
         def get_urls(self):
@@ -781 +788 @@
 
     (r'^my_view/$', self.admin_site.admin_view(self.my_view))
 
-This wrapping will protect ``self.my_view`` from unauthorized access.
+This wrapping will protect ``self.my_view`` from unauthorized access and will
+apply the ``django.views.decorators.cache.never_cache`` decorator to make sure
+it is not cached if the cache middleware is active.
 
 .. method:: ModelAdmin.formfield_for_foreignkey(self, db_field, request, **kwargs)
 
@@ -1331 +1340 @@
 .. versionadded:: 1.1
 
 Just like :class:`ModelAdmin`, :class:`AdminSite` provides a
-:meth:`~django.contrib.admin.ModelAdmin.get_urls()` method
-that can be overridden to define additional views for the site. To add
-a new view to your admin site, extend the base
-:meth:`~django.contrib.admin.ModelAdmin.get_urls()` method to include
-a pattern for your new view.
+:meth:`~django.contrib.admin.ModelAdmin.get_urls()` method that can be
+overridden to define additional views for the site. To add a new view to your
+admin site, extend the base ``get_urls()`` method to include a pattern for your
+new view. And, just like it is also described in the
+:meth:`~django.contrib.admin.ModelAdmin.get_urls()` section, you will want to
+wrap your custom view with the
+:meth:`~django.contrib.admin.AdminSite.admin_view()` :class:`AdminSite` method
+to get access control and never-caching features for it.
 
 .. note::
     Any view you render that uses the admin templates, or extends the base

tests/regressiontests/admin_views/tests.py

@@ -54 +54 @@
         response = self.client.get('/test_admin/%s/admin_views/section/add/' % self.urlbit)
         self.failUnlessEqual(response.status_code, 200)
 
+    def testMaxAgeModelAdminView(self):
+        """
+        Because cache time can be set by middleware, ensure max-age is explicity 0
+        (non-model-specific view)
+        """
+        response = self.client.get('/test_admin/%s/admin_views/' % self.urlbit)
+
+        from django.utils.cache import get_max_age
+        self.failUnlessEqual(get_max_age(response), 0)
+
+    def testMaxAgeModelView(self):
+        """
+        Because cache time can be set by middleware, ensure max-age is explicity 0
+        (model-specific view)
+        """
+        response = self.client.get('/test_admin/%s/admin_views/section/add/' % self.urlbit)
+
+        from django.utils.cache import get_max_age
+        self.failUnlessEqual(get_max_age(response), 0)
+
     def testAddWithGETArgs(self):
         response = self.client.get('/test_admin/%s/admin_views/section/add/' % self.urlbit, {'name': 'My Section'})
         self.failUnlessEqual(response.status_code, 200)