Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #15198 -- pass request to AuthenticationForm

Thanks to Ciantic for the report, claudep and slurms for initial work
  • Loading branch information...
commit 22d82a7742c3b091857fda8612273360459110ee 1 parent 9d2c0a0
Preston Holmes ptone authored
6 django/contrib/auth/forms.py
View
@@ -160,10 +160,8 @@ class AuthenticationForm(forms.Form):
def __init__(self, request=None, *args, **kwargs):
"""
- If request is passed in, the form will validate that cookies are
- enabled. Note that the request (a HttpRequest object) must have set a
- cookie with the key TEST_COOKIE_NAME and value TEST_COOKIE_VALUE before
- running this validation.
+ The 'request' parameter is set for custom auth use by subclasses.
+ The form data comes in via the standard 'data' kwarg.
Lorenzo
Oni added a note

The standard usage of a "Form" is usually:

if request.method == 'POST':
    form = MyFooForm(request.POST)

Since "AuthenticationForm"'s init accepts an extra "request" parameter it becomes a little non-consistent since you have to use:

if request.method == 'POST':
    form = AuthenticationForm(data=request.POST)

Is it a necessary inconsistency?

Possible solution:

def __init__(self, *args, **kwargs):
    self.request = kwargs.pop('request', None)
    self.user_cache = None
    super(AuthenticationForm, self).__init__(*args, **kwargs)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
"""
self.request = request
self.user_cache = None
14 django/contrib/auth/tests/urls.py
View
@@ -1,14 +1,20 @@
from django.conf.urls import patterns, url
from django.contrib.auth import context_processors
+from django.contrib.auth.forms import AuthenticationForm
from django.contrib.auth.urls import urlpatterns
-from django.contrib.auth.views import password_reset
+from django.contrib.auth.views import password_reset, login
from django.contrib.auth.decorators import login_required
from django.contrib.messages.api import info
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpRequest
from django.shortcuts import render_to_response
from django.template import Template, RequestContext
from django.views.decorators.cache import never_cache
+class CustomRequestAuthenticationForm(AuthenticationForm):
+ def __init__(self, request, *args, **kwargs):
+ assert isinstance(request, HttpRequest)
+ super(CustomRequestAuthenticationForm, self).__init__(request, *args, **kwargs)
+
@never_cache
def remote_user_auth_view(request):
"Dummy view for remote user tests"
@@ -49,6 +55,9 @@ def auth_processor_messages(request):
def userpage(request):
pass
+def custom_request_auth_login(request):
+ return login(request, authentication_form=CustomRequestAuthenticationForm)
+
# special urls for auth test cases
urlpatterns = urlpatterns + patterns('',
(r'^logout/custom_query/$', 'django.contrib.auth.views.logout', dict(redirect_field_name='follow')),
@@ -65,6 +74,7 @@ def userpage(request):
(r'^auth_processor_perms/$', auth_processor_perms),
(r'^auth_processor_perm_in_perms/$', auth_processor_perm_in_perms),
(r'^auth_processor_messages/$', auth_processor_messages),
+ (r'^custom_request_auth_login/$', custom_request_auth_login),
url(r'^userpage/(.+)/$', userpage, name="userpage"),
)
8 django/contrib/auth/tests/views.py
View
@@ -365,6 +365,14 @@ def test_security_check(self, password='password'):
self.assertTrue(good_url in response.url,
"%s should be allowed" % good_url)
+ def test_login_form_contains_request(self):
+ # 15198
+ response = self.client.post('/custom_requestauth_login/', {
+ 'username': 'testclient',
+ 'password': 'password',
+ }, follow=True)
+ # the custom authentication form used by this login asserts
+ # that a request is passed to the form successfully.
@skipIfCustomUser
class LoginURLSettings(AuthViewsTestCase):
2  django/contrib/auth/views.py
View
@@ -35,7 +35,7 @@ def login(request, template_name='registration/login.html',
redirect_to = request.REQUEST.get(redirect_field_name, '')
if request.method == "POST":
- form = authentication_form(data=request.POST)
+ form = authentication_form(request, data=request.POST)
if form.is_valid():
# Ensure the user-originating redirection url is safe.
Lorenzo

The standard usage of a "Form" is usually:

if request.method == 'POST':
    form = MyFooForm(request.POST)

Since "AuthenticationForm"'s init accepts an extra "request" parameter it becomes a little non-consistent since you have to use:

if request.method == 'POST':
    form = AuthenticationForm(data=request.POST)

Is it a necessary inconsistency?

Possible solution:

def __init__(self, *args, **kwargs):
    self.request = kwargs.pop('request', None)
    self.user_cache = None
    super(AuthenticationForm, self).__init__(*args, **kwargs)
Please sign in to comment.
Something went wrong with that request. Please try again.