Author: russellm
Date: 2008-08-24 01:34:18 -0500 (Sun, 24 Aug 2008)
New Revision: 8509
Modified:
django/trunk/django/contrib/admin/sites.py
django/trunk/django/contrib/admin/views/decorators.py
django/trunk/tests/regressiontests/admin_views/tests.py
django/trunk/tests/regressiontests/admin_views/views.py
Log:
Fixed #8509: Cleaned up handling of test cookies in admin logins. Thanks to
rajeshd for the report of a problem case.
Modified: django/trunk/django/contrib/admin/sites.py
===================================================================
--- django/trunk/django/contrib/admin/sites.py 2008-08-24 05:06:17 UTC (rev
8508)
+++ django/trunk/django/contrib/admin/sites.py 2008-08-24 06:34:18 UTC (rev
8509)
@@ -248,6 +248,8 @@
if not request.session.test_cookie_worked():
message = _("Looks like your browser isn't configured to accept
cookies. Please enable cookies, reload this page, and try again.")
return self.display_login_form(request, message)
+ else:
+ request.session.delete_test_cookie()
# Check the password.
username = request.POST.get('username', None)
@@ -275,7 +277,6 @@
login(request, user)
if request.POST.has_key('post_data'):
post_data = _decode_post_data(request.POST['post_data'])
- request.session.delete_test_cookie()
if post_data and not post_data.has_key(LOGIN_FORM_KEY):
# overwrite request.POST with the saved post_data, and
continue
request.POST = post_data
Modified: django/trunk/django/contrib/admin/views/decorators.py
===================================================================
--- django/trunk/django/contrib/admin/views/decorators.py 2008-08-24
05:06:17 UTC (rev 8508)
+++ django/trunk/django/contrib/admin/views/decorators.py 2008-08-24
06:34:18 UTC (rev 8509)
@@ -74,6 +74,8 @@
if not request.session.test_cookie_worked():
message = _("Looks like your browser isn't configured to accept
cookies. Please enable cookies, reload this page, and try again.")
return _display_login_form(request, message)
+ else:
+ request.session.delete_test_cookie()
# Check the password.
username = request.POST.get('username', None)
@@ -105,7 +107,6 @@
request.user = user
return view_func(request, *args, **kwargs)
else:
- request.session.delete_test_cookie()
return
http.HttpResponseRedirect(request.get_full_path())
else:
return _display_login_form(request, ERROR_MESSAGE)
Modified: django/trunk/tests/regressiontests/admin_views/tests.py
===================================================================
--- django/trunk/tests/regressiontests/admin_views/tests.py 2008-08-24
05:06:17 UTC (rev 8508)
+++ django/trunk/tests/regressiontests/admin_views/tests.py 2008-08-24
06:34:18 UTC (rev 8509)
@@ -274,6 +274,15 @@
self.failUnlessEqual(Article.objects.all().count(), 4)
self.client.get('/test_admin/admin/logout/')
+ # 8509 - if a normal user is already logged in, it is possible
+ # to change user into the superuser without error
+ login = self.client.login(username='joepublic', password='secret')
+ # Check and make sure that if user expires, data still persists
+ self.client.get('/test_admin/admin/')
+ self.client.post('/test_admin/admin/', self.super_login)
+ # make sure the view removes test cookie
+ self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
+
def testChangeView(self):
"""Change view should restrict access and allow users to edit items."""
@@ -506,6 +515,8 @@
self.assertRedirects(login, '/test_admin/admin/secure-view/')
self.failIf(login.context)
self.client.get('/test_admin/admin/logout/')
+ # make sure the view removes test cookie
+ self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
# Test if user enters e-mail address
request = self.client.get('/test_admin/admin/secure-view/')
@@ -552,3 +563,23 @@
self.failUnlessEqual(login.status_code, 200)
# Login.context is a list of context dicts we just need to check the
first one.
self.assert_(login.context[0].get('error_message'))
+
+ # Check and make sure that if user expires, data still persists
+ data = {'foo': 'bar'}
+ post = self.client.post('/test_admin/admin/secure-view/', data)
+ self.assertContains(post, 'Please log in again, because your session
has expired.')
+ self.super_login['post_data'] = _encode_post_data(data)
+ post = self.client.post('/test_admin/admin/secure-view/',
self.super_login)
+ # make sure the view removes test cookie
+ self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
+ self.assertContains(post, "{'foo': 'bar'}")
+ self.client.get('/test_admin/admin/logout/')
+
+ # 8509 - if a normal user is already logged in, it is possible
+ # to change user into the superuser without error
+ login = self.client.login(username='joepublic', password='secret')
+ # Check and make sure that if user expires, data still persists
+ self.client.get('/test_admin/admin/secure-view/')
+ self.client.post('/test_admin/admin/secure-view/', self.super_login)
+ # make sure the view removes test cookie
+ self.failUnlessEqual(self.client.session.test_cookie_worked(), False)
Modified: django/trunk/tests/regressiontests/admin_views/views.py
===================================================================
--- django/trunk/tests/regressiontests/admin_views/views.py 2008-08-24
05:06:17 UTC (rev 8508)
+++ django/trunk/tests/regressiontests/admin_views/views.py 2008-08-24
06:34:18 UTC (rev 8509)
@@ -2,5 +2,5 @@
from django.http import HttpResponse
def secure_view(request):
- return HttpResponse('')
+ return HttpResponse('%s' % request.POST)
secure_view = staff_member_required(secure_view)
\ No newline at end of file
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
