Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

Fixed #19327 -- Added handling of double login attempts in admin.

  • Loading branch information...
1 parent 6cad5f2 commit e83ea372ff3f93ef53e2d037c5277b4bc60a5eb5 @KrzysiekJ KrzysiekJ committed
14 django/contrib/admin/
@@ -2,8 +2,10 @@
from django.http import Http404, HttpResponseRedirect
from django.contrib.admin import ModelAdmin, actions
from django.contrib.admin.forms import AdminAuthenticationForm
-from django.contrib.auth import REDIRECT_FIELD_NAME
+from django.contrib.auth import logout as auth_logout, REDIRECT_FIELD_NAME
+from django.contrib.auth.forms import AuthenticationForm
from django.contrib.contenttypes import views as contenttype_views
+from django.contrib import messages
from django.views.decorators.csrf import csrf_protect
from django.db.models.base import ModelBase
from django.core.exceptions import ImproperlyConfigured
@@ -199,6 +201,16 @@ def inner(request, *args, **kwargs):
index_path = reverse('admin:index',
return HttpResponseRedirect(index_path)
return self.login(request)
+ if LOGIN_FORM_KEY in request.POST:
+ login_form = AuthenticationForm(data=request.POST)
+ # If user enters valid credentials, we want only to display a message informing him that he is already
+ # logged in. Otherwise he should be logged out.
+ if login_form.is_valid():
+ messages.add_message(request, messages.ERROR, _('You are already logged in, as {}.').format(request.user))
+ return HttpResponseRedirect(request.POST[REDIRECT_FIELD_NAME])
+ else:
+ auth_logout(request)
+ return self.login(request)
return view(request, *args, **kwargs)
if not cacheable:
inner = never_cache(inner)
17 tests/regressiontests/admin_views/
@@ -972,6 +972,23 @@ def testLoginSuccessfullyRedirectsToOriginalUrl(self):
login ='/test_admin/admin/', dict(self.super_login, **new_next), QUERY_STRING=query_string)
self.assertRedirects(login, redirect_url)
+ def testDoubleLoginIsNotAllowed(self):
+ """Regression test for #19327"""
+ self.client.login(username='super', password='secret')
+ query_string = 'the-answer=42'
+ redirect_url = '/test_admin/admin/?%s' % query_string
+ new_next = {REDIRECT_FIELD_NAME: redirect_url}
+ # If user provides valid credentials, a message should be displayed informing him that he is already logged in.
+ login ='/test_admin/admin/', dict(self.joepublic_login, **new_next), follow=True, QUERY_STRING=query_string)
+ self.assertRedirects(login, redirect_url)
+ self.assertContains(login, 'You are already logged in')
+ # If credentials are invalid, user should be logged out.
+ login ='/test_admin/admin/', dict({LOGIN_FORM_KEY: 1, 'username': 'invalid', 'password': 'bad_password'}, **new_next), QUERY_STRING = query_string)
+ self.assertEqual(login.status_code, 200)
+ self.assertContains(login, ERROR_MESSAGE)
def testAddView(self):
"""Test add view restricts access and actually adds items."""

0 comments on commit e83ea37

Please sign in to comment.
Something went wrong with that request. Please try again.