mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-03 10:34:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixed #21446 -- Allowed not performing redirect in set_language view

Browse source 
Thanks Claude Paroz and Tim Graham for polishing the patch.
This commit is contained in:
Krzysztof Jurewicz 2016-03-28 19:23:04 +02:00 committed by Claude Paroz
parent 12ba20d83c
commit 940b7fd5cb
4 changed files with 105 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

7
docs/releases/1.10.txt
View file

@ -267,6 +267,10 @@ Internationalization
:func:`~django.conf.urls.i18n.i18n_patterns` to ``False``, you can allow
accessing the default language without a URL prefix.
* :func:`~django.views.i18n.set_language` now returns a 204 status code (No
Content) for AJAX requests when there is no ``next`` parameter in ``POST`` or
``GET``.
Management Commands
~~~~~~~~~~~~~~~~~~~
@ -695,6 +699,9 @@ Miscellaneous
:meth:`~django.test.Client.login()` method no longer always rejects inactive
users but instead delegates this decision to the authentication backend.
* :func:`django.views.i18n.set_language` may now return a 204 status code for
AJAX requests.
.. _deprecated-features-1.10:
Features deprecated in 1.10

21
docs/topics/i18n/translation.txt
View file

@ -1788,14 +1788,21 @@ saves the language choice in the user's session. Otherwise, it saves the
language choice in a cookie that is by default named ``django_language``.
(The name can be changed through the :setting:`LANGUAGE_COOKIE_NAME` setting.)
After setting the language choice, Django redirects the user, following this
algorithm:
After setting the language choice, Django looks for a ``next`` parameter in the
``POST`` or ``GET`` data. If that is found and Django considers it to be a safe
URL (i.e. it doesn't point to a different host and uses a safe scheme), a
redirect to that URL will be performed. Otherwise, Django may fall back to
redirecting the user to the URL from the ``Referer`` header or, if it is not
set, to ``/``, depending on the nature of the request:
* Django looks for a ``next`` parameter in the ``POST`` data.
* If that doesn't exist, or is empty, Django tries the URL in the
``Referrer`` header.
* If that's empty -- say, if a user's browser suppresses that header --
then the user will be redirected to ``/`` (the site root) as a fallback.
* For AJAX requests, the fallback will be performed only if the ``next``
parameter was set. Otherwise a 204 status code (No Content) will be returned.
* For non-AJAX requests, the fallback will always be performed.
.. versionchanged:: 1.10
Returning a 204 status code for AJAX requests when no redirect is specified
is new.
Here's example HTML template code: