diff options
| author | Louise Crow <louise.crow@gmail.com> | 2015-04-09 19:51:37 +0100 |
|---|---|---|
| committer | Louise Crow <louise.crow@gmail.com> | 2015-04-10 12:09:29 +0100 |
| commit | 14a7c646bd64ce0d174aba594e9591227b039070 (patch) | |
| tree | ec90035acfb4192849ff4f141af86ad21c4f518b /doc | |
| parent | 24a91a3dc095a0d55cb6b4ddf3c6a68726228f54 (diff) | |
Add warning about updating search forms to release notes.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/CHANGES.md | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/doc/CHANGES.md b/doc/CHANGES.md index 7b0341b30..a654f3b6a 100644 --- a/doc/CHANGES.md +++ b/doc/CHANGES.md @@ -51,6 +51,10 @@ see if these need to be changed. URLs in rreviously sent admin emails about requested changes to authorities will need to be tweaked to work - from `admin/body/new?change_request_id=n` to `admin/bodies/new?change_request_id=n` +* CSRF protection is now used by default on forms using 'POST', and as a result, the navbar and front page + search forms have been converted to use 'GET' rather than 'POST'. If you override `/app/views/general/_frontpage_search_box.html.erb`, `app/views/general/header.html.erb` or `app/views/general/_responsive_topnav.html.erb`, you should update the search forms in your templates to use 'GET'. Any forms of your own + that use the 'POST' method should be generated in Rails or otherwise include a CSRF token. If + they don't, logged-in users will be logged out when they use them. * If you override the `app/views/user/_signin.html.erb` or `app/view/user/_signup.html.erb` templates, check the tabindex order is still sensible - the order of the elements on the page has changed |