15 years ago · 5a0aab41ee
--- a/django/contrib/admin/sites.py
+++ b/django/contrib/admin/sites.py
@@ -3,7 +3,7 @@ from django import http, template
 
				 from django.contrib.admin import ModelAdmin
			
 
				 from django.contrib.admin import actions
			
 
				 from django.contrib.auth import authenticate, login
			
 
				-from django.views.decorators.csrf import csrf_protect, csrf_response_exempt
			
 
				+from django.views.decorators.csrf import csrf_protect
			
 
				 from django.db.models.base import ModelBase
			
 
				 from django.core.exceptions import ImproperlyConfigured
			
 
				 from django.core.urlresolvers import reverse
			
@@ -189,7 +189,7 @@ class AdminSite(object):
 
				             inner = never_cache(inner)
			
 
				         # We add csrf_protect here so this function can be used as a utility
			
 
				         # function for any view, without having to repeat 'csrf_protect'.
			
 
				-        inner = csrf_response_exempt(csrf_protect(inner))
			
 
				+        inner = csrf_protect(inner)
			
 
				         return update_wrapper(inner, view)
			
 
				 
			
 
				     def get_urls(self):
			
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@@ -178,7 +178,9 @@ Note that contrib apps, such as the admin, have been updated to use the
 
				 customised templates to any of the view functions of contrib apps (whether
			
 
				 explicitly via a keyword argument, or by overriding built-in templates), **you
			
 
				 MUST update them** to include the ``csrf_token`` template tag as described
			
 
				-above, or they will stop working.
			
 
				+above, or they will stop working.  (If you cannot update these templates for
			
 
				+some reason, you will be forced to use ``CsrfResponseMiddleware`` for these
			
 
				+views to continue working).
			
 
				 
			
 
				 Assuming you have followed the above, all views in your Django site will now be
			
 
				 protected by the ``CsrfViewMiddleware``.  Contrib apps meet the requirements