Fixed #8092, #3828 -- Removed dictionary access for request objects so that GET and POST data doesn't "overwrite" request attributes when used in templates (since dictionary lookup is performed before attribute lookup). This is backwards-incompatible if you were using the request object for dictionary access to the combined GET and POST data, but you should use request.REQUEST for that instead.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@8202 bcc190cf-cafb-0310-a4f2-bffc1f526a37

tests/regressiontests/context_processors/tests.py

@@ -0,0 +1,38 @@
+"""
+Tests for Django's bundled context processors.
+"""
+
+from django.conf import settings
+from django.test import TestCase
+
+
+class RequestContextProcessorTests(TestCase):
+    """
+    Tests for the ``django.core.context_processors.request`` processor.
+    """
+
+    urls = 'regressiontests.context_processors.urls'
+
+    def test_request_attributes(self):
+        """
+        Test that the request object is available in the template and that its
+        attributes can't be overridden by GET and POST parameters (#3828).
+        """
+        url = '/request_attrs/'
+        # We should have the request object in the template.
+        response = self.client.get(url)
+        self.assertContains(response, 'Have request')
+        # Test is_secure.
+        response = self.client.get(url)
+        self.assertContains(response, 'Not secure')
+        response = self.client.get(url, {'is_secure': 'blah'})
+        self.assertContains(response, 'Not secure')
+        response = self.client.post(url, {'is_secure': 'blah'})
+        self.assertContains(response, 'Not secure')
+        # Test path.
+        response = self.client.get(url)
+        self.assertContains(response, url)
+        response = self.client.get(url, {'path': '/blah/'})
+        self.assertContains(response, url)
+        response = self.client.post(url, {'path': '/blah/'})
+        self.assertContains(response, url)