fix: mark passwords as sensitive POST data

Closes #1893, closes #1869
stephenmcd · Sep 24, 2021 · c0c3d76 · c0c3d76
1 parent 872b0cd
commit c0c3d76
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/mezzanine/accounts/views.py b/mezzanine/accounts/views.py
@@ -7,6 +7,7 @@
 from django.template.response import TemplateResponse
 from django.urls import NoReverseMatch, get_script_prefix
 from django.utils.translation import gettext_lazy as _
+from django.views.decorators.debug import sensitive_post_parameters
 
 from mezzanine.accounts import get_profile_form
 from mezzanine.accounts.forms import LoginForm, PasswordResetForm
@@ -17,6 +18,7 @@
 User = get_user_model()
 
 
+@sensitive_post_parameters("password")
 def login(
     request,
     template="accounts/account_login.html",
@@ -46,6 +48,7 @@ def logout(request):
     return redirect(next_url(request) or get_script_prefix())
 
 
+@sensitive_post_parameters("password1", "password2")
 def signup(request, template="accounts/account_signup.html", extra_context=None):
     """
     Signup form.
@@ -132,6 +135,7 @@ def account_redirect(request):
     return redirect("profile_update")
 
 
+@sensitive_post_parameters("password1", "password2")
 @login_required
 def profile_update(
     request, template="accounts/account_profile_update.html", extra_context=None