mirror of https://github.com/django/django.git
[1.6.x] Fixed #18923 -- Corrected usage of sensitive_post_parameters in contrib.auth
Thanks Collin Anderson for the report.
Backport of 425d076d0c
from master
This commit is contained in:
parent
4e7745cc1c
commit
97254154ab
|
@ -17,6 +17,7 @@ from django.views.decorators.csrf import csrf_protect
|
|||
from django.views.decorators.debug import sensitive_post_parameters
|
||||
|
||||
csrf_protect_m = method_decorator(csrf_protect)
|
||||
sensitive_post_parameters_m = method_decorator(sensitive_post_parameters())
|
||||
|
||||
|
||||
class GroupAdmin(admin.ModelAdmin):
|
||||
|
@ -90,7 +91,7 @@ class UserAdmin(admin.ModelAdmin):
|
|||
return False
|
||||
return super(UserAdmin, self).lookup_allowed(lookup, value)
|
||||
|
||||
@sensitive_post_parameters()
|
||||
@sensitive_post_parameters_m
|
||||
@csrf_protect_m
|
||||
@transaction.atomic
|
||||
def add_view(self, request, form_url='', extra_context=None):
|
||||
|
@ -121,7 +122,7 @@ class UserAdmin(admin.ModelAdmin):
|
|||
return super(UserAdmin, self).add_view(request, form_url,
|
||||
extra_context)
|
||||
|
||||
@sensitive_post_parameters()
|
||||
@sensitive_post_parameters_m
|
||||
def user_change_password(self, request, id, form_url=''):
|
||||
if not self.has_change_permission(request):
|
||||
raise PermissionDenied
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
import functools
|
||||
|
||||
from django.http import HttpRequest
|
||||
|
||||
|
||||
def sensitive_variables(*variables):
|
||||
"""
|
||||
|
@ -62,6 +64,10 @@ def sensitive_post_parameters(*parameters):
|
|||
def decorator(view):
|
||||
@functools.wraps(view)
|
||||
def sensitive_post_parameters_wrapper(request, *args, **kwargs):
|
||||
assert isinstance(request, HttpRequest), (
|
||||
"sensitive_post_parameters didn't receive an HttpRequest. If you "
|
||||
"are decorating a classmethod, be sure to use @method_decorator."
|
||||
)
|
||||
if parameters:
|
||||
request.sensitive_post_parameters = parameters
|
||||
else:
|
||||
|
|
Loading…
Reference in New Issue