Skip to content

Commit

Permalink
Fixed #19327 -- Added handling of double login attempts in admin.
Browse files Browse the repository at this point in the history
Thanks to Krzysztof Jurewicz for initial patch and
adupin for tests.
  • Loading branch information
dericcrago authored and ptone committed Mar 19, 2013
1 parent 5180e40 commit 9d6ecc6
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 3 deletions.
1 change: 1 addition & 0 deletions AUTHORS
Original file line number Diff line number Diff line change
Expand Up @@ -606,6 +606,7 @@ answer newbie questions, and generally made Django that much better:
Jarek Zgoda <jarek.zgoda@gmail.com>
Cheng Zhang
Hannes Struß <x@hannesstruss.de>
Deric Crago <deric.crago@gmail.com>

A big THANK YOU goes to:

Expand Down
4 changes: 3 additions & 1 deletion django/contrib/admin/sites.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
from django.http import Http404, HttpResponseRedirect
from django.contrib.admin import ModelAdmin, actions
from django.contrib.admin.forms import AdminAuthenticationForm
from django.contrib.auth import REDIRECT_FIELD_NAME
from django.contrib.auth import logout as auth_logout, REDIRECT_FIELD_NAME
from django.contrib.contenttypes import views as contenttype_views
from django.views.decorators.csrf import csrf_protect
from django.db.models.base import ModelBase
Expand Down Expand Up @@ -193,6 +193,8 @@ def get_urls(self):
cacheable=True.
"""
def inner(request, *args, **kwargs):
if LOGIN_FORM_KEY in request.POST and request.user.is_authenticated():
auth_logout(request)
if not self.has_permission(request):
if request.path == reverse('admin:logout',
current_app=self.name):
Expand Down
30 changes: 28 additions & 2 deletions tests/admin_views/tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
import datetime
try:
from urllib.parse import urljoin
except ImportError: # Python 2
except ImportError: # Python 2
from urlparse import urljoin

from django.conf import settings, global_settings
Expand Down Expand Up @@ -981,6 +981,32 @@ def testLoginSuccessfullyRedirectsToOriginalUrl(self):
login = self.client.post('/test_admin/admin/', dict(self.super_login, **new_next), QUERY_STRING=query_string)
self.assertRedirects(login, redirect_url)

def testDoubleLoginIsNotAllowed(self):
"""Regression test for #19327"""
response = self.client.get('/test_admin/admin/')
self.assertEqual(response.status_code, 200)

# Establish a valid admin session
login = self.client.post('/test_admin/admin/', self.super_login)
self.assertRedirects(login, '/test_admin/admin/')
self.assertFalse(login.context)

# Logging in with non-admin user fails
login = self.client.post('/test_admin/admin/', self.joepublic_login)
self.assertEqual(login.status_code, 200)
self.assertContains(login, ERROR_MESSAGE)

# Establish a valid admin session
login = self.client.post('/test_admin/admin/', self.super_login)
self.assertRedirects(login, '/test_admin/admin/')
self.assertFalse(login.context)

# Logging in with admin user while already logged in
login = self.client.post('/test_admin/admin/', self.super_login)
self.assertRedirects(login, '/test_admin/admin/')
self.assertFalse(login.context)
self.client.get('/test_admin/admin/logout/')

def testAddView(self):
"""Test add view restricts access and actually adds items."""

Expand Down Expand Up @@ -2547,7 +2573,7 @@ def test_changelist_view(self):
self.assertNotContains(response, 'Primary key = %s' % i)

def test_changelist_view_count_queries(self):
#create 2 Person objects
# create 2 Person objects
Person.objects.create(name='person1', gender=1)
Person.objects.create(name='person2', gender=2)

Expand Down

0 comments on commit 9d6ecc6

Please sign in to comment.