Removed superfluous cookie check from auth login.

This is ensured through the CSRF protection of the view
2013-02-23 14:19:01 -08:00 · 2013-02-23 14:19:01 -08:00 · 9d2c0a0ae6
parent b902a92b71
commit 9d2c0a0ae6
4 changed files with 10 additions and 11 deletions
--- a/django/contrib/admin/forms.py
+++ b/django/contrib/admin/forms.py
@ -33,5 +33,4 @@ class AdminAuthenticationForm(AuthenticationForm):
                raise forms.ValidationError(message % {
                    'username': self.username_field.verbose_name
                })
-        self.check_for_test_cookie()
        return self.cleaned_data
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@ -1,5 +1,7 @@
 from __future__ import unicode_literals

+import warnings
+
 from django import forms
 from django.forms.util import flatatt
 from django.template import loader
@ -153,8 +155,6 @@ class AuthenticationForm(forms.Form):
    error_messages = {
        'invalid_login': _("Please enter a correct %(username)s and password. "
                           "Note that both fields may be case-sensitive."),
-        'no_cookies': _("Your Web browser doesn't appear to have cookies "
-                        "enabled. Cookies are required for logging in."),
        'inactive': _("This account is inactive."),
    }

@ -189,12 +189,11 @@ class AuthenticationForm(forms.Form):
                    })
            elif not self.user_cache.is_active:
                raise forms.ValidationError(self.error_messages['inactive'])
-        self.check_for_test_cookie()
        return self.cleaned_data

    def check_for_test_cookie(self):
-        if self.request and not self.request.session.test_cookie_worked():
-            raise forms.ValidationError(self.error_messages['no_cookies'])
+        warnings.warn("check_for_test_cookie is deprecated; ensure your login "
+                "view is CSRF-protected.", DeprecationWarning)

    def get_user_id(self):
        if self.user_cache:
--- a/django/contrib/auth/views.py
+++ b/django/contrib/auth/views.py
@ -45,15 +45,10 @@ def login(request, template_name='registration/login.html',
            # Okay, security check complete. Log the user in.
            auth_login(request, form.get_user())

-            if request.session.test_cookie_worked():
-                request.session.delete_test_cookie()
-
            return HttpResponseRedirect(redirect_to)
    else:
        form = authentication_form(request)

-    request.session.set_test_cookie()
-
    current_site = get_current_site(request)

    context = {
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@ -320,6 +320,12 @@ these changes.
  deprecated. Use the :class:`warnings.catch_warnings` context manager
  available starting with Python 2.6 instead.

+* The undocumented ``check_for_test_cookie`` method in
+  :class:`~django.contrib.auth.forms.AuthenticationForm` will be removed
+  following an accelerated deprecation. Users subclassing this form should
+  remove calls to this method, and instead ensure that their auth related views
+  are CSRF protected, which ensures that cookies are enabled.
+
 1.8
 ---