Loading AUTHORS +1 −0 Original line number Diff line number Diff line Loading @@ -606,6 +606,7 @@ answer newbie questions, and generally made Django that much better: Jarek Zgoda <jarek.zgoda@gmail.com> Cheng Zhang Hannes Struß <x@hannesstruss.de> Deric Crago <deric.crago@gmail.com> A big THANK YOU goes to: Loading django/contrib/admin/sites.py +3 −1 Original line number Diff line number Diff line Loading @@ -2,7 +2,7 @@ from functools import update_wrapper from django.http import Http404, HttpResponseRedirect from django.contrib.admin import ModelAdmin, actions from django.contrib.admin.forms import AdminAuthenticationForm from django.contrib.auth import REDIRECT_FIELD_NAME from django.contrib.auth import logout as auth_logout, REDIRECT_FIELD_NAME from django.contrib.contenttypes import views as contenttype_views from django.views.decorators.csrf import csrf_protect from django.db.models.base import ModelBase Loading Loading @@ -193,6 +193,8 @@ class AdminSite(object): cacheable=True. """ def inner(request, *args, **kwargs): if LOGIN_FORM_KEY in request.POST and request.user.is_authenticated(): auth_logout(request) if not self.has_permission(request): if request.path == reverse('admin:logout', current_app=self.name): Loading tests/admin_views/tests.py +28 −2 Original line number Diff line number Diff line Loading @@ -981,6 +981,32 @@ class AdminViewPermissionsTest(TestCase): login = self.client.post('/test_admin/admin/', dict(self.super_login, **new_next), QUERY_STRING=query_string) self.assertRedirects(login, redirect_url) def testDoubleLoginIsNotAllowed(self): """Regression test for #19327""" response = self.client.get('/test_admin/admin/') self.assertEqual(response.status_code, 200) # Establish a valid admin session login = self.client.post('/test_admin/admin/', self.super_login) self.assertRedirects(login, '/test_admin/admin/') self.assertFalse(login.context) # Logging in with non-admin user fails login = self.client.post('/test_admin/admin/', self.joepublic_login) self.assertEqual(login.status_code, 200) self.assertContains(login, ERROR_MESSAGE) # Establish a valid admin session login = self.client.post('/test_admin/admin/', self.super_login) self.assertRedirects(login, '/test_admin/admin/') self.assertFalse(login.context) # Logging in with admin user while already logged in login = self.client.post('/test_admin/admin/', self.super_login) self.assertRedirects(login, '/test_admin/admin/') self.assertFalse(login.context) self.client.get('/test_admin/admin/logout/') def testAddView(self): """Test add view restricts access and actually adds items.""" Loading Loading
AUTHORS +1 −0 Original line number Diff line number Diff line Loading @@ -606,6 +606,7 @@ answer newbie questions, and generally made Django that much better: Jarek Zgoda <jarek.zgoda@gmail.com> Cheng Zhang Hannes Struß <x@hannesstruss.de> Deric Crago <deric.crago@gmail.com> A big THANK YOU goes to: Loading
django/contrib/admin/sites.py +3 −1 Original line number Diff line number Diff line Loading @@ -2,7 +2,7 @@ from functools import update_wrapper from django.http import Http404, HttpResponseRedirect from django.contrib.admin import ModelAdmin, actions from django.contrib.admin.forms import AdminAuthenticationForm from django.contrib.auth import REDIRECT_FIELD_NAME from django.contrib.auth import logout as auth_logout, REDIRECT_FIELD_NAME from django.contrib.contenttypes import views as contenttype_views from django.views.decorators.csrf import csrf_protect from django.db.models.base import ModelBase Loading Loading @@ -193,6 +193,8 @@ class AdminSite(object): cacheable=True. """ def inner(request, *args, **kwargs): if LOGIN_FORM_KEY in request.POST and request.user.is_authenticated(): auth_logout(request) if not self.has_permission(request): if request.path == reverse('admin:logout', current_app=self.name): Loading
tests/admin_views/tests.py +28 −2 Original line number Diff line number Diff line Loading @@ -981,6 +981,32 @@ class AdminViewPermissionsTest(TestCase): login = self.client.post('/test_admin/admin/', dict(self.super_login, **new_next), QUERY_STRING=query_string) self.assertRedirects(login, redirect_url) def testDoubleLoginIsNotAllowed(self): """Regression test for #19327""" response = self.client.get('/test_admin/admin/') self.assertEqual(response.status_code, 200) # Establish a valid admin session login = self.client.post('/test_admin/admin/', self.super_login) self.assertRedirects(login, '/test_admin/admin/') self.assertFalse(login.context) # Logging in with non-admin user fails login = self.client.post('/test_admin/admin/', self.joepublic_login) self.assertEqual(login.status_code, 200) self.assertContains(login, ERROR_MESSAGE) # Establish a valid admin session login = self.client.post('/test_admin/admin/', self.super_login) self.assertRedirects(login, '/test_admin/admin/') self.assertFalse(login.context) # Logging in with admin user while already logged in login = self.client.post('/test_admin/admin/', self.super_login) self.assertRedirects(login, '/test_admin/admin/') self.assertFalse(login.context) self.client.get('/test_admin/admin/logout/') def testAddView(self): """Test add view restricts access and actually adds items.""" Loading
