mirror of https://github.com/django/django.git
Fixed #18923 -- Corrected usage of sensitive_post_parameters in contrib.auth
Thanks Collin Anderson for the report.
This commit is contained in:
parent
1b47508ac8
commit
425d076d0c
|
@ -17,6 +17,7 @@ from django.views.decorators.csrf import csrf_protect
|
||||||
from django.views.decorators.debug import sensitive_post_parameters
|
from django.views.decorators.debug import sensitive_post_parameters
|
||||||
|
|
||||||
csrf_protect_m = method_decorator(csrf_protect)
|
csrf_protect_m = method_decorator(csrf_protect)
|
||||||
|
sensitive_post_parameters_m = method_decorator(sensitive_post_parameters())
|
||||||
|
|
||||||
|
|
||||||
class GroupAdmin(admin.ModelAdmin):
|
class GroupAdmin(admin.ModelAdmin):
|
||||||
|
@ -87,7 +88,7 @@ class UserAdmin(admin.ModelAdmin):
|
||||||
return False
|
return False
|
||||||
return super(UserAdmin, self).lookup_allowed(lookup, value)
|
return super(UserAdmin, self).lookup_allowed(lookup, value)
|
||||||
|
|
||||||
@sensitive_post_parameters()
|
@sensitive_post_parameters_m
|
||||||
@csrf_protect_m
|
@csrf_protect_m
|
||||||
@transaction.atomic
|
@transaction.atomic
|
||||||
def add_view(self, request, form_url='', extra_context=None):
|
def add_view(self, request, form_url='', extra_context=None):
|
||||||
|
@ -118,7 +119,7 @@ class UserAdmin(admin.ModelAdmin):
|
||||||
return super(UserAdmin, self).add_view(request, form_url,
|
return super(UserAdmin, self).add_view(request, form_url,
|
||||||
extra_context)
|
extra_context)
|
||||||
|
|
||||||
@sensitive_post_parameters()
|
@sensitive_post_parameters_m
|
||||||
def user_change_password(self, request, id, form_url=''):
|
def user_change_password(self, request, id, form_url=''):
|
||||||
if not self.has_change_permission(request):
|
if not self.has_change_permission(request):
|
||||||
raise PermissionDenied
|
raise PermissionDenied
|
||||||
|
|
|
@ -1,5 +1,7 @@
|
||||||
import functools
|
import functools
|
||||||
|
|
||||||
|
from django.http import HttpRequest
|
||||||
|
|
||||||
|
|
||||||
def sensitive_variables(*variables):
|
def sensitive_variables(*variables):
|
||||||
"""
|
"""
|
||||||
|
@ -62,6 +64,10 @@ def sensitive_post_parameters(*parameters):
|
||||||
def decorator(view):
|
def decorator(view):
|
||||||
@functools.wraps(view)
|
@functools.wraps(view)
|
||||||
def sensitive_post_parameters_wrapper(request, *args, **kwargs):
|
def sensitive_post_parameters_wrapper(request, *args, **kwargs):
|
||||||
|
assert isinstance(request, HttpRequest), (
|
||||||
|
"sensitive_post_parameters didn't receive an HttpRequest. If you "
|
||||||
|
"are decorating a classmethod, be sure to use @method_decorator."
|
||||||
|
)
|
||||||
if parameters:
|
if parameters:
|
||||||
request.sensitive_post_parameters = parameters
|
request.sensitive_post_parameters = parameters
|
||||||
else:
|
else:
|
||||||
|
|
Loading…
Reference in New Issue