Moved CSRF docs out of contrib.

docs/ref/contrib/index.txt

@@ -25,7 +25,6 @@ those packages have.
    admin/index
    auth
    contenttypes
-   csrf
    flatpages
    formtools/index
    gis/index
@@ -63,13 +62,6 @@ Django model is a separate content type.
 
 See the :doc:`contenttypes documentation </ref/contrib/contenttypes>`.
 
-csrf
-====
-
-A middleware for preventing Cross Site Request Forgeries
-
-See the :doc:`csrf documentation </ref/contrib/csrf>`.
-
 flatpages
 =========
 

docs/ref/csrf.txt

@@ -26,15 +26,14 @@ below.
 How to use it
 =============
 
-To enable CSRF protection for your views, follow these steps:
+To take advantage of CSRF protection in your views, follow these steps:
 
-1. Add the middleware
-   ``'django.middleware.csrf.CsrfViewMiddleware'`` to your list of
-   middleware classes, :setting:`MIDDLEWARE_CLASSES`.  (It should come
-   before any view middleware that assume that CSRF attacks have
-   been dealt with.)
+1. The CSRF middleware is activated by default in the
+   :setting:`MIDDLEWARE_CLASSES` setting. If you override that setting, remember
+   that ``'django.middleware.csrf.CsrfViewMiddleware'`` should come before any
+   view middleware that assume that CSRF attacks have been dealt with.
 
-   Alternatively, you can use the decorator
+   If you disabled it, which is not recommended, you can use
    :func:`~django.views.decorators.csrf.csrf_protect` on particular views
    you want to protect (see below).
 

docs/ref/index.txt

@@ -10,6 +10,7 @@ API Reference
    class-based-views/index
    clickjacking
    contrib/index
+   csrf
    databases
    django-admin
    exceptions

docs/ref/middleware.txt

@@ -388,7 +388,7 @@ CSRF protection middleware
 
 Adds protection against Cross Site Request Forgeries by adding hidden form
 fields to POST forms and checking requests for the correct value. See the
-:doc:`Cross Site Request Forgery protection documentation </ref/contrib/csrf>`.
+:doc:`Cross Site Request Forgery protection documentation </ref/csrf>`.
 
 X-Frame-Options middleware
 --------------------------

docs/ref/settings.txt

@@ -374,7 +374,7 @@ CSRF_COOKIE_NAME
 Default: ``'csrftoken'``
 
 The name of the cookie to use for the CSRF authentication token. This can be whatever you
-want.  See :doc:`/ref/contrib/csrf`.
+want.  See :doc:`/ref/csrf`.
 
 .. setting:: CSRF_COOKIE_PATH
 
@@ -415,7 +415,7 @@ is rejected by the CSRF protection.  The function should have this signature::
 
 where ``reason`` is a short message (intended for developers or logging, not for
 end users) indicating the reason the request was rejected.  See
-:doc:`/ref/contrib/csrf`.
+:doc:`/ref/csrf`.
 
 .. setting:: DATABASES
 

docs/ref/templates/api.txt

@@ -576,7 +576,7 @@ django.core.context_processors.csrf
 
 This processor adds a token that is needed by the :ttag:`csrf_token` template
 tag for protection against :doc:`Cross Site Request Forgeries
-</ref/contrib/csrf>`.
+</ref/csrf>`.
 
 django.core.context_processors.request
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

docs/ref/templates/builtins.txt

@@ -70,7 +70,7 @@ csrf_token
 ^^^^^^^^^^
 
 This tag is used for CSRF protection, as described in the documentation for
-:doc:`Cross Site Request Forgeries </ref/contrib/csrf>`.
+:doc:`Cross Site Request Forgeries </ref/csrf>`.
 
 .. templatetag:: cycle