p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #7776: Ensured that the test cookie is always deleted once a login has succeeded. Thanks for the report and fix, Mnewman. 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@8484 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Russell Keith-Magee 2008-08-23 14:12:58 +00:00
parent 0f869f905e
commit a9ee1d4e28
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
django/contrib/admin/sites.py
View File

@ -274,13 +274,13 @@ class AdminSite(object):
login(request, user) login(request, user)
if request.POST.has_key('post_data'): if request.POST.has_key('post_data'):
post_data = _decode_post_data(request.POST['post_data']) post_data = _decode_post_data(request.POST['post_data'])
request.session.delete_test_cookie()
if post_data and not post_data.has_key(LOGIN_FORM_KEY): if post_data and not post_data.has_key(LOGIN_FORM_KEY):
# overwrite request.POST with the saved post_data, and continue # overwrite request.POST with the saved post_data, and continue
request.POST = post_data request.POST = post_data
request.user = user request.user = user
return self.root(request, request.path.split(self.root_path)[-1]) return self.root(request, request.path.split(self.root_path)[-1])
else: else:
request.session.delete_test_cookie()
return http.HttpResponseRedirect(request.get_full_path()) return http.HttpResponseRedirect(request.get_full_path())
else: else:
return self.display_login_form(request, ERROR_MESSAGE) return self.display_login_form(request, ERROR_MESSAGE)

4
tests/regressiontests/admin_views/tests.py
View File

@ -237,6 +237,8 @@ class AdminViewPermissionsTest(TestCase):
# Change User should not have access to add articles # Change User should not have access to add articles
self.client.get('/test_admin/admin/') self.client.get('/test_admin/admin/')
self.client.post('/test_admin/admin/', self.changeuser_login) self.client.post('/test_admin/admin/', self.changeuser_login)
# make sure the view removes test cookie
self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
request = self.client.get('/test_admin/admin/admin_views/article/add/') request = self.client.get('/test_admin/admin/admin_views/article/add/')
self.failUnlessEqual(request.status_code, 403) self.failUnlessEqual(request.status_code, 403)
# Try POST just to make sure # Try POST just to make sure
@ -266,6 +268,8 @@ class AdminViewPermissionsTest(TestCase):
self.assertContains(post, 'Please log in again, because your session has expired.') self.assertContains(post, 'Please log in again, because your session has expired.')
self.super_login['post_data'] = _encode_post_data(add_dict) self.super_login['post_data'] = _encode_post_data(add_dict)
post = self.client.post('/test_admin/admin/admin_views/article/add/', self.super_login) post = self.client.post('/test_admin/admin/admin_views/article/add/', self.super_login)
# make sure the view removes test cookie
self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
self.assertRedirects(post, '/test_admin/admin/admin_views/article/') self.assertRedirects(post, '/test_admin/admin/admin_views/article/')
self.failUnlessEqual(Article.objects.all().count(), 4) self.failUnlessEqual(Article.objects.all().count(), 4)
self.client.get('/test_admin/admin/logout/') self.client.get('/test_admin/admin/logout/')