Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
View
3  django/contrib/admin/sites.py
@@ -248,6 +248,8 @@ def login(self, request):
if not request.session.test_cookie_worked():
message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.")
return self.display_login_form(request, message)
+ else:
+ request.session.delete_test_cookie()
# Check the password.
username = request.POST.get('username', None)
@@ -275,7 +277,6 @@ def login(self, request):
login(request, user)
if request.POST.has_key('post_data'):
post_data = _decode_post_data(request.POST['post_data'])
- request.session.delete_test_cookie()
if post_data and not post_data.has_key(LOGIN_FORM_KEY):
# overwrite request.POST with the saved post_data, and continue
request.POST = post_data
View
3  django/contrib/admin/views/decorators.py
@@ -74,6 +74,8 @@ def _checklogin(request, *args, **kwargs):
if not request.session.test_cookie_worked():
message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.")
return _display_login_form(request, message)
+ else:
+ request.session.delete_test_cookie()
# Check the password.
username = request.POST.get('username', None)
@@ -105,7 +107,6 @@ def _checklogin(request, *args, **kwargs):
request.user = user
return view_func(request, *args, **kwargs)
else:
- request.session.delete_test_cookie()
return http.HttpResponseRedirect(request.get_full_path())
else:
return _display_login_form(request, ERROR_MESSAGE)
View
31 tests/regressiontests/admin_views/tests.py
@@ -274,6 +274,15 @@ def testAddView(self):
self.failUnlessEqual(Article.objects.all().count(), 4)
self.client.get('/test_admin/admin/logout/')
+ # 8509 - if a normal user is already logged in, it is possible
+ # to change user into the superuser without error
+ login = self.client.login(username='joepublic', password='secret')
+ # Check and make sure that if user expires, data still persists
+ self.client.get('/test_admin/admin/')
+ self.client.post('/test_admin/admin/', self.super_login)
+ # make sure the view removes test cookie
+ self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
+
def testChangeView(self):
"""Change view should restrict access and allow users to edit items."""
@@ -506,6 +515,8 @@ def test_staff_member_required_decorator_works_as_per_admin_login(self):
self.assertRedirects(login, '/test_admin/admin/secure-view/')
self.failIf(login.context)
self.client.get('/test_admin/admin/logout/')
+ # make sure the view removes test cookie
+ self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
# Test if user enters e-mail address
request = self.client.get('/test_admin/admin/secure-view/')
@@ -552,3 +563,23 @@ def test_staff_member_required_decorator_works_as_per_admin_login(self):
self.failUnlessEqual(login.status_code, 200)
# Login.context is a list of context dicts we just need to check the first one.
self.assert_(login.context[0].get('error_message'))
+
+ # Check and make sure that if user expires, data still persists
+ data = {'foo': 'bar'}
+ post = self.client.post('/test_admin/admin/secure-view/', data)
+ self.assertContains(post, 'Please log in again, because your session has expired.')
+ self.super_login['post_data'] = _encode_post_data(data)
+ post = self.client.post('/test_admin/admin/secure-view/', self.super_login)
+ # make sure the view removes test cookie
+ self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
+ self.assertContains(post, "{'foo': 'bar'}")
+ self.client.get('/test_admin/admin/logout/')
+
+ # 8509 - if a normal user is already logged in, it is possible
+ # to change user into the superuser without error
+ login = self.client.login(username='joepublic', password='secret')
+ # Check and make sure that if user expires, data still persists
+ self.client.get('/test_admin/admin/secure-view/')
+ self.client.post('/test_admin/admin/secure-view/', self.super_login)
+ # make sure the view removes test cookie
+ self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
View
2  tests/regressiontests/admin_views/views.py
@@ -2,5 +2,5 @@
from django.http import HttpResponse
def secure_view(request):
- return HttpResponse('')
+ return HttpResponse('%s' % request.POST)
secure_view = staff_member_required(secure_view)
Please sign in to comment.
Something went wrong with that request. Please try again.