Django

Code

root/django/trunk/django/contrib/admin/views/decorators.py

Revision 8877, 3.4 kB (checked in by jacob, 10 months ago)

Security fix. Announcement forthcoming.

  • Property svn:eol-style set to native
Line 
1 import base64
2 try:
3     from functools import wraps
4 except ImportError:
5     from django.utils.functional import wraps  # Python 2.3, 2.4 fallback.
6
7 from django import http, template
8 from django.conf import settings
9 from django.contrib.auth.models import User
10 from django.contrib.auth import authenticate, login
11 from django.shortcuts import render_to_response
12 from django.utils.translation import ugettext_lazy, ugettext as _
13
14 ERROR_MESSAGE = ugettext_lazy("Please enter a correct username and password. Note that both fields are case-sensitive.")
15 LOGIN_FORM_KEY = 'this_is_the_login_form'
16
17 def _display_login_form(request, error_message=''):
18     request.session.set_test_cookie()
19     return render_to_response('admin/login.html', {
20         'title': _('Log in'),
21         'app_path': request.get_full_path(),
22         'error_message': error_message
23     }, context_instance=template.RequestContext(request))
24
25 def staff_member_required(view_func):
26     """
27     Decorator for views that checks that the user is logged in and is a staff
28     member, displaying the login page if necessary.
29     """
30     def _checklogin(request, *args, **kwargs):
31         if request.user.is_authenticated() and request.user.is_staff:
32             # The user is valid. Continue to the admin page.
33             return view_func(request, *args, **kwargs)
34
35         assert hasattr(request, 'session'), "The Django admin requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'."
36
37         # If this isn't already the login page, display it.
38         if LOGIN_FORM_KEY not in request.POST:
39             if request.POST:
40                 message = _("Please log in again, because your session has expired.")
41             else:
42                 message = ""
43             return _display_login_form(request, message)
44
45         # Check that the user accepts cookies.
46         if not request.session.test_cookie_worked():
47             message = _("Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.")
48             return _display_login_form(request, message)
49         else:
50             request.session.delete_test_cookie()
51
52         # Check the password.
53         username = request.POST.get('username', None)
54         password = request.POST.get('password', None)
55         user = authenticate(username=username, password=password)
56         if user is None:
57             message = ERROR_MESSAGE
58             if '@' in username:
59                 # Mistakenly entered e-mail address instead of username? Look it up.
60                 users = list(User.objects.filter(email=username))
61                 if len(users) == 1 and users[0].check_password(password):
62                     message = _("Your e-mail address is not your username. Try '%s' instead.") % users[0].username
63                 else:
64                     # Either we cannot find the user, or if more than 1
65                     # we cannot guess which user is the correct one.
66                     message = _("Usernames cannot contain the '@' character.")
67             return _display_login_form(request, message)
68
69         # The user data is correct; log in the user in and continue.
70         else:
71             if user.is_active and user.is_staff:
72                 login(request, user)
73                 return http.HttpResponseRedirect(request.get_full_path())
74             else:
75                 return _display_login_form(request, ERROR_MESSAGE)
76
77     return wraps(view_func)(_checklogin)
Note: See TracBrowser for help on using the browser.