Ticket #15637: add-require-safe-http-decorator.2.patch

File add-require-safe-http-decorator.2.patch, 4.7 KB (added by Aymeric Augustin, 14 years ago)

  • docs/topics/http/decorators.txt

     
    1010Allowed HTTP methods
    1111====================
    1212
    13 The following decorators in :mod:`django.views.decorators.http` can be used to
    14 restrict access to views based on the request method.
     13The decorators in :mod:`django.views.decorators.http` can be used to restrict
     14access to views based on the request method.
    1515
    1616.. function:: require_http_methods(request_method_list)
    1717
     
    2828
    2929Note that request methods should be in uppercase.
    3030
     31Furthermore, the following decorators provide shortcuts for the most common
     32use cases.
     33
     34.. function:: require_safe()
     35
     36This decorator requires that a view only accept the GET and HEAD methods. These
     37methods are called "safe" because they should not have any side effects besides
     38retrieving the requested resource.
     39
     40.. note::
     41    Django will automatically strip the content of responses to HEAD requests
     42    while leaving the headers unchanged, so you can handle HEAD requests
     43    exactly like GET requests in your views. Since some software, such as link
     44    checkers, relies on HEAD requests, you should generally use
     45    ``require_safe`` instead of ``require_GET``.
     46
     47.. versionadded:: 1.4
     48    The ``require_safe`` decorator was added.
     49
    3150.. function:: require_GET()
    3251
    3352Decorator to require that a view only accept the GET method.

  • django/views/decorators/http.py

     
    5252require_POST = require_http_methods(["POST"])
    5353require_POST.__doc__ = "Decorator to require that a view only accept the POST method."
    5454
     55require_safe = require_http_methods(["GET", "HEAD"])
     56require_safe.__doc__ = "Decorator to require that a view only accept safe methods: GET and HEAD."
     57
    5558def condition(etag_func=None, last_modified_func=None):
    5659    """
    5760    Decorator to support conditional retrieval (or change) for a view

  • tests/regressiontests/decorators/tests.py

     
    66
    77from django.contrib.auth.decorators import login_required, permission_required, user_passes_test
    88from django.contrib.admin.views.decorators import staff_member_required
    9 from django.http import HttpResponse, HttpRequest
     9from django.http import HttpResponse, HttpRequest, HttpResponseNotAllowed
    1010from django.utils.decorators import method_decorator
    1111from django.utils.functional import allow_lazy, lazy, memoize
    1212from django.utils.unittest import TestCase
    13 from django.views.decorators.http import require_http_methods, require_GET, require_POST
     13from django.views.decorators.http import require_http_methods, require_GET, require_POST, require_safe
    1414from django.views.decorators.vary import vary_on_headers, vary_on_cookie
    1515from django.views.decorators.cache import cache_page, never_cache, cache_control
    1616
     
    2424fully_decorated = require_http_methods(["GET"])(fully_decorated)
    2525fully_decorated = require_GET(fully_decorated)
    2626fully_decorated = require_POST(fully_decorated)
     27fully_decorated = require_safe(fully_decorated)
    2728
    2829# django.views.decorators.vary
    2930fully_decorated = vary_on_headers('Accept-language')(fully_decorated)
     
    115116        my_view_cached4 = cache_page()(my_view)
    116117        self.assertEqual(my_view_cached4(HttpRequest()), "response")
    117118
     119    def test_require_safe_accepts_only_safe_methods(self):
     120        """
     121        Test for the require_safe decorator
     122       
     123        A view returns either a response or an exception.
     124        """
     125        def my_view(request):
     126            return HttpResponse("OK")
     127        my_safe_view = require_safe(my_view)
     128        request = HttpRequest()
     129        request.method = 'GET'
     130        self.assertTrue(isinstance(my_safe_view(request), HttpResponse))
     131        request.method = 'HEAD'
     132        self.assertTrue(isinstance(my_safe_view(request), HttpResponse))
     133        request.method = 'POST'
     134        self.assertTrue(isinstance(my_safe_view(request), HttpResponseNotAllowed))
     135        request.method = 'PUT'
     136        self.assertTrue(isinstance(my_safe_view(request), HttpResponseNotAllowed))
     137        request.method = 'DELETE'
     138        self.assertTrue(isinstance(my_safe_view(request), HttpResponseNotAllowed))
    118139
     140
    119141# For testing method_decorator, a decorator that assumes a single argument.
    120142# We will get type arguments if there is a mismatch in the number of arguments.
    121143def simple_dec(func):
Back to Top