mirror of
				https://github.com/django/django.git
				synced 2025-10-25 22:56:12 +00:00 
			
		
		
		
	Fixed #19327 -- Added handling of double login attempts in admin.
Thanks to Krzysztof Jurewicz for initial patch and adupin for tests.
This commit is contained in:
		
				
					committed by
					
						 Preston Holmes
						Preston Holmes
					
				
			
			
				
	
			
			
			
						parent
						
							5180e40bee
						
					
				
				
					commit
					9d6ecc6bc6
				
			
							
								
								
									
										1
									
								
								AUTHORS
									
									
									
									
									
								
							
							
						
						
									
										1
									
								
								AUTHORS
									
									
									
									
									
								
							| @@ -606,6 +606,7 @@ answer newbie questions, and generally made Django that much better: | |||||||
|     Jarek Zgoda <jarek.zgoda@gmail.com> |     Jarek Zgoda <jarek.zgoda@gmail.com> | ||||||
|     Cheng Zhang |     Cheng Zhang | ||||||
|     Hannes Struß <x@hannesstruss.de> |     Hannes Struß <x@hannesstruss.de> | ||||||
|  |     Deric Crago <deric.crago@gmail.com> | ||||||
|  |  | ||||||
| A big THANK YOU goes to: | A big THANK YOU goes to: | ||||||
|  |  | ||||||
|   | |||||||
| @@ -2,7 +2,7 @@ from functools import update_wrapper | |||||||
| from django.http import Http404, HttpResponseRedirect | from django.http import Http404, HttpResponseRedirect | ||||||
| from django.contrib.admin import ModelAdmin, actions | from django.contrib.admin import ModelAdmin, actions | ||||||
| from django.contrib.admin.forms import AdminAuthenticationForm | from django.contrib.admin.forms import AdminAuthenticationForm | ||||||
| from django.contrib.auth import REDIRECT_FIELD_NAME | from django.contrib.auth import logout as auth_logout, REDIRECT_FIELD_NAME | ||||||
| from django.contrib.contenttypes import views as contenttype_views | from django.contrib.contenttypes import views as contenttype_views | ||||||
| from django.views.decorators.csrf import csrf_protect | from django.views.decorators.csrf import csrf_protect | ||||||
| from django.db.models.base import ModelBase | from django.db.models.base import ModelBase | ||||||
| @@ -193,6 +193,8 @@ class AdminSite(object): | |||||||
|         cacheable=True. |         cacheable=True. | ||||||
|         """ |         """ | ||||||
|         def inner(request, *args, **kwargs): |         def inner(request, *args, **kwargs): | ||||||
|  |             if LOGIN_FORM_KEY in request.POST and request.user.is_authenticated(): | ||||||
|  |                 auth_logout(request) | ||||||
|             if not self.has_permission(request): |             if not self.has_permission(request): | ||||||
|                 if request.path == reverse('admin:logout', |                 if request.path == reverse('admin:logout', | ||||||
|                                            current_app=self.name): |                                            current_app=self.name): | ||||||
|   | |||||||
| @@ -981,6 +981,32 @@ class AdminViewPermissionsTest(TestCase): | |||||||
|         login = self.client.post('/test_admin/admin/', dict(self.super_login, **new_next), QUERY_STRING=query_string) |         login = self.client.post('/test_admin/admin/', dict(self.super_login, **new_next), QUERY_STRING=query_string) | ||||||
|         self.assertRedirects(login, redirect_url) |         self.assertRedirects(login, redirect_url) | ||||||
|  |  | ||||||
|  |     def testDoubleLoginIsNotAllowed(self): | ||||||
|  |         """Regression test for #19327""" | ||||||
|  |         response = self.client.get('/test_admin/admin/') | ||||||
|  |         self.assertEqual(response.status_code, 200) | ||||||
|  |  | ||||||
|  |         # Establish a valid admin session | ||||||
|  |         login = self.client.post('/test_admin/admin/', self.super_login) | ||||||
|  |         self.assertRedirects(login, '/test_admin/admin/') | ||||||
|  |         self.assertFalse(login.context) | ||||||
|  |  | ||||||
|  |         # Logging in with non-admin user fails | ||||||
|  |         login = self.client.post('/test_admin/admin/', self.joepublic_login) | ||||||
|  |         self.assertEqual(login.status_code, 200) | ||||||
|  |         self.assertContains(login, ERROR_MESSAGE) | ||||||
|  |  | ||||||
|  |         # Establish a valid admin session | ||||||
|  |         login = self.client.post('/test_admin/admin/', self.super_login) | ||||||
|  |         self.assertRedirects(login, '/test_admin/admin/') | ||||||
|  |         self.assertFalse(login.context) | ||||||
|  |  | ||||||
|  |         # Logging in with admin user while already logged in | ||||||
|  |         login = self.client.post('/test_admin/admin/', self.super_login) | ||||||
|  |         self.assertRedirects(login, '/test_admin/admin/') | ||||||
|  |         self.assertFalse(login.context) | ||||||
|  |         self.client.get('/test_admin/admin/logout/') | ||||||
|  |  | ||||||
|     def testAddView(self): |     def testAddView(self): | ||||||
|         """Test add view restricts access and actually adds items.""" |         """Test add view restricts access and actually adds items.""" | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user