Security system checks do not ignore MIDDLEWARE_CLASSES when MIDDLEWARE is defined
|Core (System checks)
|Patch needs improvement:
1_10.W001 says "Since you've set MIDDLEWARE, the value of MIDDLEWARE_CLASSES is ignored"
But security system checks for session and csrf middleware check for
MIDDLEWARE_CLASSES first and only if that fails do they check for
MIDDLEWARE, contrary to what the compatibility system checks say.
The issue is compounded by the fact that
MIDDLEWARE_CLASSES to contain two middlewares (one of which is csrf). So to disable csrf, one not only has to define
MIDDLEWARE without including the csrf middleware in it, one also has to override and set
MIDDLEWARE_CLASSES = . At which point, the compatibility system check
1_10.W001 fires up.