Fixed #8509: Cleaned up handling of test cookies in admin logins. Thanks to rajeshd for the report of a problem case.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8509 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
74b3173fba
commit
27b0077a48
|
@ -248,6 +248,8 @@ class AdminSite(object):
|
||||||
if not request.session.test_cookie_worked():
|
if not request.session.test_cookie_worked():
|
||||||
message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.")
|
message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.")
|
||||||
return self.display_login_form(request, message)
|
return self.display_login_form(request, message)
|
||||||
|
else:
|
||||||
|
request.session.delete_test_cookie()
|
||||||
|
|
||||||
# Check the password.
|
# Check the password.
|
||||||
username = request.POST.get('username', None)
|
username = request.POST.get('username', None)
|
||||||
|
@ -275,7 +277,6 @@ class AdminSite(object):
|
||||||
login(request, user)
|
login(request, user)
|
||||||
if request.POST.has_key('post_data'):
|
if request.POST.has_key('post_data'):
|
||||||
post_data = _decode_post_data(request.POST['post_data'])
|
post_data = _decode_post_data(request.POST['post_data'])
|
||||||
request.session.delete_test_cookie()
|
|
||||||
if post_data and not post_data.has_key(LOGIN_FORM_KEY):
|
if post_data and not post_data.has_key(LOGIN_FORM_KEY):
|
||||||
# overwrite request.POST with the saved post_data, and continue
|
# overwrite request.POST with the saved post_data, and continue
|
||||||
request.POST = post_data
|
request.POST = post_data
|
||||||
|
|
|
@ -74,6 +74,8 @@ def staff_member_required(view_func):
|
||||||
if not request.session.test_cookie_worked():
|
if not request.session.test_cookie_worked():
|
||||||
message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.")
|
message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.")
|
||||||
return _display_login_form(request, message)
|
return _display_login_form(request, message)
|
||||||
|
else:
|
||||||
|
request.session.delete_test_cookie()
|
||||||
|
|
||||||
# Check the password.
|
# Check the password.
|
||||||
username = request.POST.get('username', None)
|
username = request.POST.get('username', None)
|
||||||
|
@ -105,7 +107,6 @@ def staff_member_required(view_func):
|
||||||
request.user = user
|
request.user = user
|
||||||
return view_func(request, *args, **kwargs)
|
return view_func(request, *args, **kwargs)
|
||||||
else:
|
else:
|
||||||
request.session.delete_test_cookie()
|
|
||||||
return http.HttpResponseRedirect(request.get_full_path())
|
return http.HttpResponseRedirect(request.get_full_path())
|
||||||
else:
|
else:
|
||||||
return _display_login_form(request, ERROR_MESSAGE)
|
return _display_login_form(request, ERROR_MESSAGE)
|
||||||
|
|
|
@ -274,6 +274,15 @@ class AdminViewPermissionsTest(TestCase):
|
||||||
self.failUnlessEqual(Article.objects.all().count(), 4)
|
self.failUnlessEqual(Article.objects.all().count(), 4)
|
||||||
self.client.get('/test_admin/admin/logout/')
|
self.client.get('/test_admin/admin/logout/')
|
||||||
|
|
||||||
|
# 8509 - if a normal user is already logged in, it is possible
|
||||||
|
# to change user into the superuser without error
|
||||||
|
login = self.client.login(username='joepublic', password='secret')
|
||||||
|
# Check and make sure that if user expires, data still persists
|
||||||
|
self.client.get('/test_admin/admin/')
|
||||||
|
self.client.post('/test_admin/admin/', self.super_login)
|
||||||
|
# make sure the view removes test cookie
|
||||||
|
self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
|
||||||
|
|
||||||
def testChangeView(self):
|
def testChangeView(self):
|
||||||
"""Change view should restrict access and allow users to edit items."""
|
"""Change view should restrict access and allow users to edit items."""
|
||||||
|
|
||||||
|
@ -506,6 +515,8 @@ class SecureViewTest(TestCase):
|
||||||
self.assertRedirects(login, '/test_admin/admin/secure-view/')
|
self.assertRedirects(login, '/test_admin/admin/secure-view/')
|
||||||
self.failIf(login.context)
|
self.failIf(login.context)
|
||||||
self.client.get('/test_admin/admin/logout/')
|
self.client.get('/test_admin/admin/logout/')
|
||||||
|
# make sure the view removes test cookie
|
||||||
|
self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
|
||||||
|
|
||||||
# Test if user enters e-mail address
|
# Test if user enters e-mail address
|
||||||
request = self.client.get('/test_admin/admin/secure-view/')
|
request = self.client.get('/test_admin/admin/secure-view/')
|
||||||
|
@ -552,3 +563,23 @@ class SecureViewTest(TestCase):
|
||||||
self.failUnlessEqual(login.status_code, 200)
|
self.failUnlessEqual(login.status_code, 200)
|
||||||
# Login.context is a list of context dicts we just need to check the first one.
|
# Login.context is a list of context dicts we just need to check the first one.
|
||||||
self.assert_(login.context[0].get('error_message'))
|
self.assert_(login.context[0].get('error_message'))
|
||||||
|
|
||||||
|
# Check and make sure that if user expires, data still persists
|
||||||
|
data = {'foo': 'bar'}
|
||||||
|
post = self.client.post('/test_admin/admin/secure-view/', data)
|
||||||
|
self.assertContains(post, 'Please log in again, because your session has expired.')
|
||||||
|
self.super_login['post_data'] = _encode_post_data(data)
|
||||||
|
post = self.client.post('/test_admin/admin/secure-view/', self.super_login)
|
||||||
|
# make sure the view removes test cookie
|
||||||
|
self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
|
||||||
|
self.assertContains(post, "{'foo': 'bar'}")
|
||||||
|
self.client.get('/test_admin/admin/logout/')
|
||||||
|
|
||||||
|
# 8509 - if a normal user is already logged in, it is possible
|
||||||
|
# to change user into the superuser without error
|
||||||
|
login = self.client.login(username='joepublic', password='secret')
|
||||||
|
# Check and make sure that if user expires, data still persists
|
||||||
|
self.client.get('/test_admin/admin/secure-view/')
|
||||||
|
self.client.post('/test_admin/admin/secure-view/', self.super_login)
|
||||||
|
# make sure the view removes test cookie
|
||||||
|
self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
|
||||||
|
|
|
@ -2,5 +2,5 @@ from django.contrib.admin.views.decorators import staff_member_required
|
||||||
from django.http import HttpResponse
|
from django.http import HttpResponse
|
||||||
|
|
||||||
def secure_view(request):
|
def secure_view(request):
|
||||||
return HttpResponse('')
|
return HttpResponse('%s' % request.POST)
|
||||||
secure_view = staff_member_required(secure_view)
|
secure_view = staff_member_required(secure_view)
|
Loading…
Reference in New Issue