Fixed #28229 -- Fixed the value of LoginView's "next" template variable.

2017-05-22 14:52:56 -07:00 · 2017-05-22 14:52:56 -07:00 · e7dc39fb65
parent a118287bca
commit e7dc39fb65
3 changed files with 13 additions and 5 deletions
--- a/django/contrib/auth/views.py
+++ b/django/contrib/auth/views.py
@ -65,7 +65,11 @@ class LoginView(SuccessURLAllowedHostsMixin, FormView):
        return super().dispatch(request, *args, **kwargs)

    def get_success_url(self):
-        """Ensure the user-originating redirection URL is safe."""
+        url = self.get_redirect_url()
+        return url or resolve_url(settings.LOGIN_REDIRECT_URL)
+
+    def get_redirect_url(self):
+        """Return the user-originating redirect URL if it's safe."""
        redirect_to = self.request.POST.get(
            self.redirect_field_name,
            self.request.GET.get(self.redirect_field_name, '')
@ -75,9 +79,7 @@ class LoginView(SuccessURLAllowedHostsMixin, FormView):
            allowed_hosts=self.get_success_url_allowed_hosts(),
            require_https=self.request.is_secure(),
        )
-        if not url_is_safe:
-            return resolve_url(settings.LOGIN_REDIRECT_URL)
-        return redirect_to
+        return redirect_to if url_is_safe else ''

    def get_form_class(self):
        return self.authentication_form or self.form_class
@ -96,7 +98,7 @@ class LoginView(SuccessURLAllowedHostsMixin, FormView):
        context = super().get_context_data(**kwargs)
        current_site = get_current_site(self.request)
        context.update({
-            self.redirect_field_name: self.get_success_url(),
+            self.redirect_field_name: self.get_redirect_url(),
            'site': current_site,
            'site_name': current_site.name,
        })
--- a/docs/releases/1.11.3.txt
+++ b/docs/releases/1.11.3.txt
@ -35,3 +35,8 @@ Bugfixes

 * Prevented ``Paginator``’s unordered object list warning from evaluating a
  ``QuerySet`` (:ticket:`28284`).
+
+* Fixed the value of ``redirect_field_name`` in ``LoginView``’s template
+  context. It's now an empty string (as it is for the original function-based
+  ``login()`` view) if the corresponding parameter isn't sent in a request (in
+  particular, when the login page is accessed directly) (:ticket:`28229`).
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@ -835,6 +835,7 @@ class LoginRedirectAuthenticatedUser(AuthViewsTestCase):
        self.login()
        response = self.client.get(self.dont_redirect_url)
        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.context['next'], '')

    def test_guest(self):
        """If not logged in, stay on the same page."""