From 27b0077a4800ed88ff057e9ad8b35ac7f3c8b908 Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Sun, 24 Aug 2008 06:34:18 +0000 Subject: [PATCH] Fixed #8509: Cleaned up handling of test cookies in admin logins. Thanks to rajeshd for the report of a problem case. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8509 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/admin/sites.py | 3 ++- django/contrib/admin/views/decorators.py | 3 ++- tests/regressiontests/admin_views/tests.py | 31 ++++++++++++++++++++++ tests/regressiontests/admin_views/views.py | 2 +- 4 files changed, 36 insertions(+), 3 deletions(-) diff --git a/django/contrib/admin/sites.py b/django/contrib/admin/sites.py index 4aa6975407..9c5a5f17af 100644 --- a/django/contrib/admin/sites.py +++ b/django/contrib/admin/sites.py @@ -248,6 +248,8 @@ class AdminSite(object): if not request.session.test_cookie_worked(): message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.") return self.display_login_form(request, message) + else: + request.session.delete_test_cookie() # Check the password. username = request.POST.get('username', None) @@ -275,7 +277,6 @@ class AdminSite(object): login(request, user) if request.POST.has_key('post_data'): post_data = _decode_post_data(request.POST['post_data']) - request.session.delete_test_cookie() if post_data and not post_data.has_key(LOGIN_FORM_KEY): # overwrite request.POST with the saved post_data, and continue request.POST = post_data diff --git a/django/contrib/admin/views/decorators.py b/django/contrib/admin/views/decorators.py index 4b36e3ffa2..f3c63ff70c 100644 --- a/django/contrib/admin/views/decorators.py +++ b/django/contrib/admin/views/decorators.py @@ -74,6 +74,8 @@ def staff_member_required(view_func): if not request.session.test_cookie_worked(): message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.") return _display_login_form(request, message) + else: + request.session.delete_test_cookie() # Check the password. username = request.POST.get('username', None) @@ -105,7 +107,6 @@ def staff_member_required(view_func): request.user = user return view_func(request, *args, **kwargs) else: - request.session.delete_test_cookie() return http.HttpResponseRedirect(request.get_full_path()) else: return _display_login_form(request, ERROR_MESSAGE) diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py index 16961adeab..c0cc94599d 100644 --- a/tests/regressiontests/admin_views/tests.py +++ b/tests/regressiontests/admin_views/tests.py @@ -274,6 +274,15 @@ class AdminViewPermissionsTest(TestCase): self.failUnlessEqual(Article.objects.all().count(), 4) self.client.get('/test_admin/admin/logout/') + # 8509 - if a normal user is already logged in, it is possible + # to change user into the superuser without error + login = self.client.login(username='joepublic', password='secret') + # Check and make sure that if user expires, data still persists + self.client.get('/test_admin/admin/') + self.client.post('/test_admin/admin/', self.super_login) + # make sure the view removes test cookie + self.failUnlessEqual(self.client.session.test_cookie_worked(), False) + def testChangeView(self): """Change view should restrict access and allow users to edit items.""" @@ -506,6 +515,8 @@ class SecureViewTest(TestCase): self.assertRedirects(login, '/test_admin/admin/secure-view/') self.failIf(login.context) self.client.get('/test_admin/admin/logout/') + # make sure the view removes test cookie + self.failUnlessEqual(self.client.session.test_cookie_worked(), False) # Test if user enters e-mail address request = self.client.get('/test_admin/admin/secure-view/') @@ -552,3 +563,23 @@ class SecureViewTest(TestCase): self.failUnlessEqual(login.status_code, 200) # Login.context is a list of context dicts we just need to check the first one. self.assert_(login.context[0].get('error_message')) + + # Check and make sure that if user expires, data still persists + data = {'foo': 'bar'} + post = self.client.post('/test_admin/admin/secure-view/', data) + self.assertContains(post, 'Please log in again, because your session has expired.') + self.super_login['post_data'] = _encode_post_data(data) + post = self.client.post('/test_admin/admin/secure-view/', self.super_login) + # make sure the view removes test cookie + self.failUnlessEqual(self.client.session.test_cookie_worked(), False) + self.assertContains(post, "{'foo': 'bar'}") + self.client.get('/test_admin/admin/logout/') + + # 8509 - if a normal user is already logged in, it is possible + # to change user into the superuser without error + login = self.client.login(username='joepublic', password='secret') + # Check and make sure that if user expires, data still persists + self.client.get('/test_admin/admin/secure-view/') + self.client.post('/test_admin/admin/secure-view/', self.super_login) + # make sure the view removes test cookie + self.failUnlessEqual(self.client.session.test_cookie_worked(), False) diff --git a/tests/regressiontests/admin_views/views.py b/tests/regressiontests/admin_views/views.py index f1c7889d56..732b2535b9 100644 --- a/tests/regressiontests/admin_views/views.py +++ b/tests/regressiontests/admin_views/views.py @@ -2,5 +2,5 @@ from django.contrib.admin.views.decorators import staff_member_required from django.http import HttpResponse def secure_view(request): - return HttpResponse('') + return HttpResponse('%s' % request.POST) secure_view = staff_member_required(secure_view) \ No newline at end of file