Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fixed #19327 -- Added handling of double login attempts in admin. #545

Closed
wants to merge 1 commit into from

2 participants

This page is out of date. Refresh to see the latest.
View
14 django/contrib/admin/sites.py
@@ -2,8 +2,10 @@
from django.http import Http404, HttpResponseRedirect
from django.contrib.admin import ModelAdmin, actions
from django.contrib.admin.forms import AdminAuthenticationForm
-from django.contrib.auth import REDIRECT_FIELD_NAME
+from django.contrib.auth import logout as auth_logout, REDIRECT_FIELD_NAME
+from django.contrib.auth.forms import AuthenticationForm
from django.contrib.contenttypes import views as contenttype_views
+from django.contrib import messages
from django.views.decorators.csrf import csrf_protect
from django.db.models.base import ModelBase
from django.core.exceptions import ImproperlyConfigured
@@ -199,6 +201,16 @@ def inner(request, *args, **kwargs):
index_path = reverse('admin:index', current_app=self.name)
return HttpResponseRedirect(index_path)
return self.login(request)
+ if LOGIN_FORM_KEY in request.POST:
+ login_form = AuthenticationForm(data=request.POST)
+ # If user enters valid credentials, we want only to display a message informing him that he is already
+ # logged in. Otherwise he should be logged out.
+ if login_form.is_valid():
+ messages.add_message(request, messages.ERROR, _('You are already logged in, as {}.').format(request.user))
+ return HttpResponseRedirect(request.POST[REDIRECT_FIELD_NAME])
+ else:
+ auth_logout(request)
+ return self.login(request)
return view(request, *args, **kwargs)
if not cacheable:
inner = never_cache(inner)
View
17 tests/regressiontests/admin_views/tests.py
@@ -972,6 +972,23 @@ def testLoginSuccessfullyRedirectsToOriginalUrl(self):
login = self.client.post('/test_admin/admin/', dict(self.super_login, **new_next), QUERY_STRING=query_string)
self.assertRedirects(login, redirect_url)
+ def testDoubleLoginIsNotAllowed(self):
+ """Regression test for #19327"""
+ self.client.login(username='super', password='secret')
+ query_string = 'the-answer=42'
+ redirect_url = '/test_admin/admin/?%s' % query_string
+ new_next = {REDIRECT_FIELD_NAME: redirect_url}
+
+ # If user provides valid credentials, a message should be displayed informing him that he is already logged in.
+ login = self.client.post('/test_admin/admin/', dict(self.joepublic_login, **new_next), follow=True, QUERY_STRING=query_string)
+ self.assertRedirects(login, redirect_url)
+ self.assertContains(login, 'You are already logged in')
+
+ # If credentials are invalid, user should be logged out.
+ login = self.client.post('/test_admin/admin/', dict({LOGIN_FORM_KEY: 1, 'username': 'invalid', 'password': 'bad_password'}, **new_next), QUERY_STRING = query_string)
+ self.assertEqual(login.status_code, 200)
+ self.assertContains(login, ERROR_MESSAGE)
+
def testAddView(self):
"""Test add view restricts access and actually adds items."""
Something went wrong with that request. Please try again.