Fixed #8509: Cleaned up handling of test cookies in admin logins. Thanks to rajeshd for the report of a problem case.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8509 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Russell Keith-Magee
parent
74b3173fba
commit
27b0077a48
|
|
@ -248,6 +248,8 @@ class AdminSite(object):
|
|||
if not request.session.test_cookie_worked():
|
||||
message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.")
|
||||
return self.display_login_form(request, message)
|
||||
else:
|
||||
request.session.delete_test_cookie()
|
||||
|
||||
# Check the password.
|
||||
username = request.POST.get('username', None)
|
||||
|
|
@ -275,7 +277,6 @@ class AdminSite(object):
|
|||
login(request, user)
|
||||
if request.POST.has_key('post_data'):
|
||||
post_data = _decode_post_data(request.POST['post_data'])
|
||||
request.session.delete_test_cookie()
|
||||
if post_data and not post_data.has_key(LOGIN_FORM_KEY):
|
||||
# overwrite request.POST with the saved post_data, and continue
|
||||
request.POST = post_data
|
||||
|
|
|
|||
|
|
@ -74,6 +74,8 @@ def staff_member_required(view_func):
|
|||
if not request.session.test_cookie_worked():
|
||||
message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.")
|
||||
return _display_login_form(request, message)
|
||||
else:
|
||||
request.session.delete_test_cookie()
|
||||
|
||||
# Check the password.
|
||||
username = request.POST.get('username', None)
|
||||
|
|
@ -105,7 +107,6 @@ def staff_member_required(view_func):
|
|||
request.user = user
|
||||
return view_func(request, *args, **kwargs)
|
||||
else:
|
||||
request.session.delete_test_cookie()
|
||||
return http.HttpResponseRedirect(request.get_full_path())
|
||||
else:
|
||||
return _display_login_form(request, ERROR_MESSAGE)
|
||||
|
|
|
|||
|
|
@ -274,6 +274,15 @@ class AdminViewPermissionsTest(TestCase):
|
|||
self.failUnlessEqual(Article.objects.all().count(), 4)
|
||||
self.client.get('/test_admin/admin/logout/')
|
||||
|
||||
# 8509 - if a normal user is already logged in, it is possible
|
||||
# to change user into the superuser without error
|
||||
login = self.client.login(username='joepublic', password='secret')
|
||||
# Check and make sure that if user expires, data still persists
|
||||
self.client.get('/test_admin/admin/')
|
||||
self.client.post('/test_admin/admin/', self.super_login)
|
||||
# make sure the view removes test cookie
|
||||
self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
|
||||
|
||||
def testChangeView(self):
|
||||
"""Change view should restrict access and allow users to edit items."""
|
||||
|
||||
|
|
@ -506,6 +515,8 @@ class SecureViewTest(TestCase):
|
|||
self.assertRedirects(login, '/test_admin/admin/secure-view/')
|
||||
self.failIf(login.context)
|
||||
self.client.get('/test_admin/admin/logout/')
|
||||
# make sure the view removes test cookie
|
||||
self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
|
||||
|
||||
# Test if user enters e-mail address
|
||||
request = self.client.get('/test_admin/admin/secure-view/')
|
||||
|
|
@ -552,3 +563,23 @@ class SecureViewTest(TestCase):
|
|||
self.failUnlessEqual(login.status_code, 200)
|
||||
# Login.context is a list of context dicts we just need to check the first one.
|
||||
self.assert_(login.context[0].get('error_message'))
|
||||
|
||||
# Check and make sure that if user expires, data still persists
|
||||
data = {'foo': 'bar'}
|
||||
post = self.client.post('/test_admin/admin/secure-view/', data)
|
||||
self.assertContains(post, 'Please log in again, because your session has expired.')
|
||||
self.super_login['post_data'] = _encode_post_data(data)
|
||||
post = self.client.post('/test_admin/admin/secure-view/', self.super_login)
|
||||
# make sure the view removes test cookie
|
||||
self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
|
||||
self.assertContains(post, "{'foo': 'bar'}")
|
||||
self.client.get('/test_admin/admin/logout/')
|
||||
|
||||
# 8509 - if a normal user is already logged in, it is possible
|
||||
# to change user into the superuser without error
|
||||
login = self.client.login(username='joepublic', password='secret')
|
||||
# Check and make sure that if user expires, data still persists
|
||||
self.client.get('/test_admin/admin/secure-view/')
|
||||
self.client.post('/test_admin/admin/secure-view/', self.super_login)
|
||||
# make sure the view removes test cookie
|
||||
self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
|
||||
|
|
|
|||
|
|
@ -2,5 +2,5 @@ from django.contrib.admin.views.decorators import staff_member_required
|
|||
from django.http import HttpResponse
|
||||
|
||||
def secure_view(request):
|
||||
return HttpResponse('')
|
||||
return HttpResponse('%s' % request.POST)
|
||||
secure_view = staff_member_required(secure_view)
|
||||
Loading…
Reference in New Issue