Commit 27b0077a authored by Russell Keith-Magee's avatar Russell Keith-Magee
Browse files

Fixed #8509: Cleaned up handling of test cookies in admin logins. Thanks to... 

Fixed #8509: Cleaned up handling of test cookies in admin logins. Thanks to rajeshd for the report of a problem case.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@8509 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 74b3173f

django/contrib/admin/sites.py

+2 −1
Original line number Diff line number Diff line
@@ -248,6 +248,8 @@ class AdminSite(object): 
        if not request.session.test_cookie_worked():

            message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.")

            return self.display_login_form(request, message)

        else:

            request.session.delete_test_cookie()



        # Check the password.

        username = request.POST.get('username', None)
@@ -275,7 +277,6 @@ class AdminSite(object): 
                login(request, user)

                if request.POST.has_key('post_data'):

                    post_data = _decode_post_data(request.POST['post_data'])

                    request.session.delete_test_cookie()

                    if post_data and not post_data.has_key(LOGIN_FORM_KEY):

                        # overwrite request.POST with the saved post_data, and continue

                        request.POST = post_data

django/contrib/admin/views/decorators.py

+2 −1
Original line number Diff line number Diff line
@@ -74,6 +74,8 @@ def staff_member_required(view_func): 
        if not request.session.test_cookie_worked():

            message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.")

            return _display_login_form(request, message)

        else:

            request.session.delete_test_cookie()



        # Check the password.

        username = request.POST.get('username', None)
@@ -105,7 +107,6 @@ def staff_member_required(view_func): 
                        request.user = user

                        return view_func(request, *args, **kwargs)

                    else:

                        request.session.delete_test_cookie()

                        return http.HttpResponseRedirect(request.get_full_path())

            else:

                return _display_login_form(request, ERROR_MESSAGE)

tests/regressiontests/admin_views/tests.py

+31 −0
Original line number Diff line number Diff line
@@ -274,6 +274,15 @@ class AdminViewPermissionsTest(TestCase): 
        self.failUnlessEqual(Article.objects.all().count(), 4)

        self.client.get('/test_admin/admin/logout/')



        # 8509 - if a normal user is already logged in, it is possible

        # to change user into the superuser without error

        login = self.client.login(username='joepublic', password='secret')

        # Check and make sure that if user expires, data still persists

        self.client.get('/test_admin/admin/')

        self.client.post('/test_admin/admin/', self.super_login)

        # make sure the view removes test cookie

        self.failUnlessEqual(self.client.session.test_cookie_worked(), False)



    def testChangeView(self):

        """Change view should restrict access and allow users to edit items."""
@@ -506,6 +515,8 @@ class SecureViewTest(TestCase): 
        self.assertRedirects(login, '/test_admin/admin/secure-view/')

        self.failIf(login.context)

        self.client.get('/test_admin/admin/logout/')

        # make sure the view removes test cookie

        self.failUnlessEqual(self.client.session.test_cookie_worked(), False)



        # Test if user enters e-mail address

        request = self.client.get('/test_admin/admin/secure-view/')
@@ -552,3 +563,23 @@ class SecureViewTest(TestCase): 
        self.failUnlessEqual(login.status_code, 200)

        # Login.context is a list of context dicts we just need to check the first one.

        self.assert_(login.context[0].get('error_message'))



        # Check and make sure that if user expires, data still persists

        data = {'foo': 'bar'}

        post = self.client.post('/test_admin/admin/secure-view/', data)

        self.assertContains(post, 'Please log in again, because your session has expired.')

        self.super_login['post_data'] = _encode_post_data(data)

        post = self.client.post('/test_admin/admin/secure-view/', self.super_login)

        # make sure the view removes test cookie

        self.failUnlessEqual(self.client.session.test_cookie_worked(), False)

        self.assertContains(post, "{'foo': 'bar'}")

        self.client.get('/test_admin/admin/logout/')

                

        # 8509 - if a normal user is already logged in, it is possible

        # to change user into the superuser without error

        login = self.client.login(username='joepublic', password='secret')

        # Check and make sure that if user expires, data still persists

        self.client.get('/test_admin/admin/secure-view/')

        self.client.post('/test_admin/admin/secure-view/', self.super_login)

        # make sure the view removes test cookie

        self.failUnlessEqual(self.client.session.test_cookie_worked(), False)

tests/regressiontests/admin_views/views.py

+1 −1
Original line number Diff line number Diff line
@@ -2,5 +2,5 @@ from django.contrib.admin.views.decorators import staff_member_required 
from django.http import HttpResponse



def secure_view(request):

    return HttpResponse('')

    return HttpResponse('%s' % request.POST)

secure_view = staff_member_required(secure_view)
 
 No newline at end of file