Removed superfluous cookie check from auth login.

This is ensured through the CSRF protection of the view
This commit is contained in:
Preston Holmes 2013-02-23 14:19:01 -08:00
parent b902a92b71
commit 9d2c0a0ae6
4 changed files with 10 additions and 11 deletions

View File

@ -33,5 +33,4 @@ class AdminAuthenticationForm(AuthenticationForm):
raise forms.ValidationError(message % { raise forms.ValidationError(message % {
'username': self.username_field.verbose_name 'username': self.username_field.verbose_name
}) })
self.check_for_test_cookie()
return self.cleaned_data return self.cleaned_data

View File

@ -1,5 +1,7 @@
from __future__ import unicode_literals from __future__ import unicode_literals
import warnings
from django import forms from django import forms
from django.forms.util import flatatt from django.forms.util import flatatt
from django.template import loader from django.template import loader
@ -153,8 +155,6 @@ class AuthenticationForm(forms.Form):
error_messages = { error_messages = {
'invalid_login': _("Please enter a correct %(username)s and password. " 'invalid_login': _("Please enter a correct %(username)s and password. "
"Note that both fields may be case-sensitive."), "Note that both fields may be case-sensitive."),
'no_cookies': _("Your Web browser doesn't appear to have cookies "
"enabled. Cookies are required for logging in."),
'inactive': _("This account is inactive."), 'inactive': _("This account is inactive."),
} }
@ -189,12 +189,11 @@ class AuthenticationForm(forms.Form):
}) })
elif not self.user_cache.is_active: elif not self.user_cache.is_active:
raise forms.ValidationError(self.error_messages['inactive']) raise forms.ValidationError(self.error_messages['inactive'])
self.check_for_test_cookie()
return self.cleaned_data return self.cleaned_data
def check_for_test_cookie(self): def check_for_test_cookie(self):
if self.request and not self.request.session.test_cookie_worked(): warnings.warn("check_for_test_cookie is deprecated; ensure your login "
raise forms.ValidationError(self.error_messages['no_cookies']) "view is CSRF-protected.", DeprecationWarning)
def get_user_id(self): def get_user_id(self):
if self.user_cache: if self.user_cache:

View File

@ -45,15 +45,10 @@ def login(request, template_name='registration/login.html',
# Okay, security check complete. Log the user in. # Okay, security check complete. Log the user in.
auth_login(request, form.get_user()) auth_login(request, form.get_user())
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
return HttpResponseRedirect(redirect_to) return HttpResponseRedirect(redirect_to)
else: else:
form = authentication_form(request) form = authentication_form(request)
request.session.set_test_cookie()
current_site = get_current_site(request) current_site = get_current_site(request)
context = { context = {

View File

@ -320,6 +320,12 @@ these changes.
deprecated. Use the :class:`warnings.catch_warnings` context manager deprecated. Use the :class:`warnings.catch_warnings` context manager
available starting with Python 2.6 instead. available starting with Python 2.6 instead.
* The undocumented ``check_for_test_cookie`` method in
:class:`~django.contrib.auth.forms.AuthenticationForm` will be removed
following an accelerated deprecation. Users subclassing this form should
remove calls to this method, and instead ensure that their auth related views
are CSRF protected, which ensures that cookies are enabled.
1.8 1.8
--- ---