Fixed #19327 -- Added handling of double login attempts in admin.
Thanks to Krzysztof Jurewicz for initial patch and adupin for tests.
This commit is contained in:
parent
5180e40bee
commit
9d6ecc6bc6
1
AUTHORS
1
AUTHORS
|
@ -606,6 +606,7 @@ answer newbie questions, and generally made Django that much better:
|
||||||
Jarek Zgoda <jarek.zgoda@gmail.com>
|
Jarek Zgoda <jarek.zgoda@gmail.com>
|
||||||
Cheng Zhang
|
Cheng Zhang
|
||||||
Hannes Struß <x@hannesstruss.de>
|
Hannes Struß <x@hannesstruss.de>
|
||||||
|
Deric Crago <deric.crago@gmail.com>
|
||||||
|
|
||||||
A big THANK YOU goes to:
|
A big THANK YOU goes to:
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@ from functools import update_wrapper
|
||||||
from django.http import Http404, HttpResponseRedirect
|
from django.http import Http404, HttpResponseRedirect
|
||||||
from django.contrib.admin import ModelAdmin, actions
|
from django.contrib.admin import ModelAdmin, actions
|
||||||
from django.contrib.admin.forms import AdminAuthenticationForm
|
from django.contrib.admin.forms import AdminAuthenticationForm
|
||||||
from django.contrib.auth import REDIRECT_FIELD_NAME
|
from django.contrib.auth import logout as auth_logout, REDIRECT_FIELD_NAME
|
||||||
from django.contrib.contenttypes import views as contenttype_views
|
from django.contrib.contenttypes import views as contenttype_views
|
||||||
from django.views.decorators.csrf import csrf_protect
|
from django.views.decorators.csrf import csrf_protect
|
||||||
from django.db.models.base import ModelBase
|
from django.db.models.base import ModelBase
|
||||||
|
@ -193,6 +193,8 @@ class AdminSite(object):
|
||||||
cacheable=True.
|
cacheable=True.
|
||||||
"""
|
"""
|
||||||
def inner(request, *args, **kwargs):
|
def inner(request, *args, **kwargs):
|
||||||
|
if LOGIN_FORM_KEY in request.POST and request.user.is_authenticated():
|
||||||
|
auth_logout(request)
|
||||||
if not self.has_permission(request):
|
if not self.has_permission(request):
|
||||||
if request.path == reverse('admin:logout',
|
if request.path == reverse('admin:logout',
|
||||||
current_app=self.name):
|
current_app=self.name):
|
||||||
|
|
|
@ -981,6 +981,32 @@ class AdminViewPermissionsTest(TestCase):
|
||||||
login = self.client.post('/test_admin/admin/', dict(self.super_login, **new_next), QUERY_STRING=query_string)
|
login = self.client.post('/test_admin/admin/', dict(self.super_login, **new_next), QUERY_STRING=query_string)
|
||||||
self.assertRedirects(login, redirect_url)
|
self.assertRedirects(login, redirect_url)
|
||||||
|
|
||||||
|
def testDoubleLoginIsNotAllowed(self):
|
||||||
|
"""Regression test for #19327"""
|
||||||
|
response = self.client.get('/test_admin/admin/')
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
# Establish a valid admin session
|
||||||
|
login = self.client.post('/test_admin/admin/', self.super_login)
|
||||||
|
self.assertRedirects(login, '/test_admin/admin/')
|
||||||
|
self.assertFalse(login.context)
|
||||||
|
|
||||||
|
# Logging in with non-admin user fails
|
||||||
|
login = self.client.post('/test_admin/admin/', self.joepublic_login)
|
||||||
|
self.assertEqual(login.status_code, 200)
|
||||||
|
self.assertContains(login, ERROR_MESSAGE)
|
||||||
|
|
||||||
|
# Establish a valid admin session
|
||||||
|
login = self.client.post('/test_admin/admin/', self.super_login)
|
||||||
|
self.assertRedirects(login, '/test_admin/admin/')
|
||||||
|
self.assertFalse(login.context)
|
||||||
|
|
||||||
|
# Logging in with admin user while already logged in
|
||||||
|
login = self.client.post('/test_admin/admin/', self.super_login)
|
||||||
|
self.assertRedirects(login, '/test_admin/admin/')
|
||||||
|
self.assertFalse(login.context)
|
||||||
|
self.client.get('/test_admin/admin/logout/')
|
||||||
|
|
||||||
def testAddView(self):
|
def testAddView(self):
|
||||||
"""Test add view restricts access and actually adds items."""
|
"""Test add view restricts access and actually adds items."""
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue