Fixed #18923 -- Corrected usage of sensitive_post_parameters in contrib.auth

Thanks Collin Anderson for the report. Backport of 425d076d0c from master
2013-08-02 14:46:17 -04:00 · 2013-08-02 14:46:17 -04:00 · 75d2bcda10
commit 75d2bcda10
parent cca302cde6
2 changed files with 10 additions and 3 deletions
--- a/django/contrib/auth/admin.py
+++ b/django/contrib/auth/admin.py
@ -17,6 +17,8 @@ from django.views.decorators.csrf import csrf_protect
 from django.views.decorators.debug import sensitive_post_parameters

 csrf_protect_m = method_decorator(csrf_protect)
+sensitive_post_parameters_m = method_decorator(sensitive_post_parameters())
+

 class GroupAdmin(admin.ModelAdmin):
    search_fields = ('name',)
@ -83,7 +85,7 @@ class UserAdmin(admin.ModelAdmin):
             self.admin_site.admin_view(self.user_change_password))
        ) + super(UserAdmin, self).get_urls()

-    @sensitive_post_parameters()
+    @sensitive_post_parameters_m
    @csrf_protect_m
    @transaction.commit_on_success
    def add_view(self, request, form_url='', extra_context=None):
@ -113,7 +115,7 @@ class UserAdmin(admin.ModelAdmin):
        return super(UserAdmin, self).add_view(request, form_url,
                                               extra_context)

-    @sensitive_post_parameters()
+    @sensitive_post_parameters_m
    def user_change_password(self, request, id, form_url=''):
        if not self.has_change_permission(request):
            raise PermissionDenied
@ -170,4 +172,3 @@ class UserAdmin(admin.ModelAdmin):

 admin.site.register(Group, GroupAdmin)
 admin.site.register(User, UserAdmin)
-
--- a/django/views/decorators/debug.py
+++ b/django/views/decorators/debug.py
@ -1,5 +1,7 @@
 import functools

+from django.http import HttpRequest
+

 def sensitive_variables(*variables):
    """
@ -62,6 +64,10 @@ def sensitive_post_parameters(*parameters):
    def decorator(view):
        @functools.wraps(view)
        def sensitive_post_parameters_wrapper(request, *args, **kwargs):
+            assert isinstance(request, HttpRequest), (
+              "sensitive_post_parameters didn't receive an HttpRequest. If you "
+              "are decorating a classmethod, be sure to use @method_decorator."
+            )
            if parameters:
                request.sensitive_post_parameters = parameters
            else: