You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The attribute hx_requests_allow_additive on HtmxViewMixin has been renamed to use_global_hx_rules and its default value changed from False to True. Update your views accordingly. (6a8bd6f)
Add security controls for requiring authentication (d43ce23)
Change security contorls to be on view and not hxrequest class (b35fb01)
Breaking
The new setting HX_REQUESTS_REQUIRE_AUTH defaults to True, meaning that all HxRequests now require an authenticated user by default. Existing projects must explicitly set HX_REQUESTS_REQUIRE_AUTH = False in their settings to restore the previous behavior of allowing unauthenticated HxRequests or add HX_REQUESTS_UNAUTHENTICATED_ALLOW to specify which HxRequests are allowed without authentication. (d43ce23)
The security controls for HxRequests have been reworked. Instead of defining allowed apps and urls on the HxRequest class, views can now define an allow list of HxRequest names that are permitted to be used in that view. (b35fb01)
Documentation
Docs for securing HxRequests via authentication (d632c41)
Update docs to reflect per-view HxRequest controls (0d147e1)
