Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #18923 -- Corrected usage of sensitive_post_parameters in contr…

…ib.auth

Thanks Collin Anderson for the report.

Backport of 425d076 from master
  • Loading branch information...
commit 75d2bcda10f00366e6d847f2c90db3e772433e46 1 parent cca302c
@timgraham timgraham authored
Showing with 10 additions and 3 deletions.
  1. +4 −3 django/contrib/auth/admin.py
  2. +6 −0 django/views/decorators/debug.py
View
7 django/contrib/auth/admin.py
@@ -17,6 +17,8 @@
from django.views.decorators.debug import sensitive_post_parameters
csrf_protect_m = method_decorator(csrf_protect)
+sensitive_post_parameters_m = method_decorator(sensitive_post_parameters())
+
class GroupAdmin(admin.ModelAdmin):
search_fields = ('name',)
@@ -83,7 +85,7 @@ def get_urls(self):
self.admin_site.admin_view(self.user_change_password))
) + super(UserAdmin, self).get_urls()
- @sensitive_post_parameters()
+ @sensitive_post_parameters_m
@csrf_protect_m
@transaction.commit_on_success
def add_view(self, request, form_url='', extra_context=None):
@@ -113,7 +115,7 @@ def add_view(self, request, form_url='', extra_context=None):
return super(UserAdmin, self).add_view(request, form_url,
extra_context)
- @sensitive_post_parameters()
+ @sensitive_post_parameters_m
def user_change_password(self, request, id, form_url=''):
if not self.has_change_permission(request):
raise PermissionDenied
@@ -170,4 +172,3 @@ def response_add(self, request, obj, post_url_continue='../%s/'):
admin.site.register(Group, GroupAdmin)
admin.site.register(User, UserAdmin)
-
View
6 django/views/decorators/debug.py
@@ -1,5 +1,7 @@
import functools
+from django.http import HttpRequest
+
def sensitive_variables(*variables):
"""
@@ -62,6 +64,10 @@ def my_view(request)
def decorator(view):
@functools.wraps(view)
def sensitive_post_parameters_wrapper(request, *args, **kwargs):
+ assert isinstance(request, HttpRequest), (
+ "sensitive_post_parameters didn't receive an HttpRequest. If you "
+ "are decorating a classmethod, be sure to use @method_decorator."
+ )
if parameters:
request.sensitive_post_parameters = parameters
else:
Please sign in to comment.
Something went wrong with that request. Please try again.