Changeset 8877
- Timestamp:
- 09/02/08 16:10:00 (3 months ago)
- Files:
-
- django/branches/0.91-bugfixes/django/contrib/admin/templates/admin/login.html (modified) (1 diff)
- django/branches/0.91-bugfixes/django/contrib/admin/views/decorators.py (modified) (5 diffs)
- django/branches/0.95-bugfixes/django/contrib/admin/templates/admin/login.html (modified) (1 diff)
- django/branches/0.95-bugfixes/django/contrib/admin/views/decorators.py (modified) (5 diffs)
- django/branches/0.96-bugfixes/django/contrib/admin/templates/admin/login.html (modified) (1 diff)
- django/branches/0.96-bugfixes/django/contrib/admin/views/decorators.py (modified) (5 diffs)
- django/trunk/django/contrib/admin/sites.py (modified) (5 diffs)
- django/trunk/django/contrib/admin/templates/admin/login.html (modified) (1 diff)
- django/trunk/django/contrib/admin/views/decorators.py (modified) (6 diffs)
- django/trunk/tests/regressiontests/admin_views/tests.py (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
django/branches/0.91-bugfixes/django/contrib/admin/templates/admin/login.html
r1068 r8877 18 18 <label for="id_password">{% trans 'Password:' %}</label> <input type="password" name="password" id="id_password" /> 19 19 <input type="hidden" name="this_is_the_login_form" value="1" /> 20 <input type="hidden" name="post_data" value="{{ post_data }}" />{% comment %} <span class="help">{% trans 'Have you <a href="/password_reset/">forgotten your password</a>?' %}</span>{% endcomment %}21 20 </p> 22 21 django/branches/0.91-bugfixes/django/contrib/admin/views/decorators.py
r7529 r8877 5 5 from django.utils.html import escape 6 6 from django.utils.translation import gettext_lazy 7 import base64, datetime, md5 8 import cPickle as pickle 7 import base64, datetime 9 8 10 9 ERROR_MESSAGE = gettext_lazy("Please enter a correct username and password. Note that both fields are case-sensitive.") … … 13 12 def _display_login_form(request, error_message=''): 14 13 request.session.set_test_cookie() 15 if request.POST and request.POST.has_key('post_data'):16 # User has failed login BUT has previously saved post data.17 post_data = request.POST['post_data']18 elif request.POST:19 # User's session must have expired; save their post data.20 post_data = _encode_post_data(request.POST)21 else:22 post_data = _encode_post_data({})23 14 return render_to_response('admin/login', { 24 15 'title': _('Log in'), 25 16 'app_path': escape(request.path), 26 'post_data': post_data,27 17 'error_message': error_message 28 18 }, context_instance=DjangoContext(request)) 29 30 def _encode_post_data(post_data):31 pickled = pickle.dumps(post_data)32 pickled_md5 = md5.new(pickled + SECRET_KEY).hexdigest()33 return base64.encodestring(pickled + pickled_md5)34 35 def _decode_post_data(encoded_data):36 encoded_data = base64.decodestring(encoded_data)37 pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]38 if md5.new(pickled + SECRET_KEY).hexdigest() != tamper_check:39 from django.core.exceptions import SuspiciousOperation40 raise SuspiciousOperation, "User may have tampered with session cookie."41 return pickle.loads(pickled)42 19 43 20 def staff_member_required(view_func): … … 49 26 if not request.user.is_anonymous() and request.user.is_staff: 50 27 # The user is valid. Continue to the admin page. 51 if request.POST.has_key('post_data'):52 # User must have re-authenticated through a different window53 # or tab.54 request.POST = _decode_post_data(request.POST['post_data'])55 28 return view_func(request, *args, **kwargs) 56 29 … … 60 33 if not request.POST.has_key(LOGIN_FORM_KEY): 61 34 if request.POST: 62 message = _("Please log in again, because your session has expired. Don't worry: Your submission has been saved.")35 message = _("Please log in again, because your session has expired.") 63 36 else: 64 37 message = "" … … 92 65 user.last_login = datetime.datetime.now() 93 66 user.save() 94 if request.POST.has_key('post_data'): 95 post_data = _decode_post_data(request.POST['post_data']) 96 if post_data and not post_data.has_key(LOGIN_FORM_KEY): 97 # overwrite request.POST with the saved post_data, and continue 98 request.POST = post_data 99 request.user = user 100 return view_func(request, *args, **kwargs) 101 else: 102 request.session.delete_test_cookie() 103 return httpwrappers.HttpResponseRedirect(request.path) 67 return httpwrappers.HttpResponseRedirect(request.path) 104 68 else: 105 69 return _display_login_form(request, ERROR_MESSAGE) django/branches/0.95-bugfixes/django/contrib/admin/templates/admin/login.html
r3415 r8877 20 20 <label for="id_password">{% trans 'Password:' %}</label> <input type="password" name="password" id="id_password" /> 21 21 <input type="hidden" name="this_is_the_login_form" value="1" /> 22 <input type="hidden" name="post_data" value="{{ post_data }}" /> {% comment %}<span class="help">{% trans 'Have you <a href="/password_reset/">forgotten your password</a>?' %}</span>{% endcomment %}23 22 </div> 24 23 <div class="submit-row"> django/branches/0.95-bugfixes/django/contrib/admin/views/decorators.py
r7528 r8877 6 6 from django.utils.html import escape 7 7 from django.utils.translation import gettext_lazy 8 import base64, datetime, md5 9 import cPickle as pickle 8 import base64, datetime 10 9 11 10 ERROR_MESSAGE = gettext_lazy("Please enter a correct username and password. Note that both fields are case-sensitive.") … … 14 13 def _display_login_form(request, error_message=''): 15 14 request.session.set_test_cookie() 16 if request.POST and request.POST.has_key('post_data'):17 # User has failed login BUT has previously saved post data.18 post_data = request.POST['post_data']19 elif request.POST:20 # User's session must have expired; save their post data.21 post_data = _encode_post_data(request.POST)22 else:23 post_data = _encode_post_data({})24 15 return render_to_response('admin/login.html', { 25 16 'title': _('Log in'), 26 17 'app_path': escape(request.path), 27 'post_data': post_data,28 18 'error_message': error_message 29 19 }, context_instance=template.RequestContext(request)) 30 31 def _encode_post_data(post_data):32 pickled = pickle.dumps(post_data)33 pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()34 return base64.encodestring(pickled + pickled_md5)35 36 def _decode_post_data(encoded_data):37 encoded_data = base64.decodestring(encoded_data)38 pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]39 if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:40 from django.core.exceptions import SuspiciousOperation41 raise SuspiciousOperation, "User may have tampered with session cookie."42 return pickle.loads(pickled)43 20 44 21 def staff_member_required(view_func): … … 50 27 if request.user.is_authenticated() and request.user.is_staff: 51 28 # The user is valid. Continue to the admin page. 52 if request.POST.has_key('post_data'):53 # User must have re-authenticated through a different window54 # or tab.55 request.POST = _decode_post_data(request.POST['post_data'])56 29 return view_func(request, *args, **kwargs) 57 30 … … 61 34 if not request.POST.has_key(LOGIN_FORM_KEY): 62 35 if request.POST: 63 message = _("Please log in again, because your session has expired. Don't worry: Your submission has been saved.")36 message = _("Please log in again, because your session has expired.") 64 37 else: 65 38 message = "" … … 94 67 user.last_login = datetime.datetime.now() 95 68 user.save() 96 if request.POST.has_key('post_data'): 97 post_data = _decode_post_data(request.POST['post_data']) 98 if post_data and not post_data.has_key(LOGIN_FORM_KEY): 99 # overwrite request.POST with the saved post_data, and continue 100 request.POST = post_data 101 request.user = user 102 return view_func(request, *args, **kwargs) 103 else: 104 request.session.delete_test_cookie() 105 return http.HttpResponseRedirect(request.path) 69 return http.HttpResponseRedirect(request.path) 106 70 else: 107 71 return _display_login_form(request, ERROR_MESSAGE) django/branches/0.96-bugfixes/django/contrib/admin/templates/admin/login.html
r3931 r8877 20 20 <label for="id_password">{% trans 'Password:' %}</label> <input type="password" name="password" id="id_password" /> 21 21 <input type="hidden" name="this_is_the_login_form" value="1" /> 22 <input type="hidden" name="post_data" value="{{ post_data }}" /> {#<span class="help">{% trans 'Have you <a href="/password_reset/">forgotten your password</a>?' %}</span>#}23 22 </div> 24 23 <div class="submit-row"> django/branches/0.96-bugfixes/django/contrib/admin/views/decorators.py
r7527 r8877 6 6 from django.utils.html import escape 7 7 from django.utils.translation import gettext_lazy 8 import base64, datetime, md5 9 import cPickle as pickle 8 import base64, datetime 10 9 11 10 ERROR_MESSAGE = gettext_lazy("Please enter a correct username and password. Note that both fields are case-sensitive.") … … 14 13 def _display_login_form(request, error_message=''): 15 14 request.session.set_test_cookie() 16 if request.POST and request.POST.has_key('post_data'):17 # User has failed login BUT has previously saved post data.18 post_data = request.POST['post_data']19 elif request.POST:20 # User's session must have expired; save their post data.21 post_data = _encode_post_data(request.POST)22 else:23 post_data = _encode_post_data({})24 15 return render_to_response('admin/login.html', { 25 16 'title': _('Log in'), 26 17 'app_path': escape(request.path), 27 'post_data': post_data,28 18 'error_message': error_message 29 19 }, context_instance=template.RequestContext(request)) 30 31 def _encode_post_data(post_data):32 pickled = pickle.dumps(post_data)33 pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()34 return base64.encodestring(pickled + pickled_md5)35 36 def _decode_post_data(encoded_data):37 encoded_data = base64.decodestring(encoded_data)38 pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]39 if md5.new(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:40 from django.core.exceptions import SuspiciousOperation41 raise SuspiciousOperation, "User may have tampered with session cookie."42 return pickle.loads(pickled)43 20 44 21 def staff_member_required(view_func): … … 50 27 if request.user.is_authenticated() and request.user.is_staff: 51 28 # The user is valid. Continue to the admin page. 52 if request.POST.has_key('post_data'):53 # User must have re-authenticated through a different window54 # or tab.55 request.POST = _decode_post_data(request.POST['post_data'])56 29 return view_func(request, *args, **kwargs) 57 30 … … 61 34 if not request.POST.has_key(LOGIN_FORM_KEY): 62 35 if request.POST: 63 message = _("Please log in again, because your session has expired. Don't worry: Your submission has been saved.")36 message = _("Please log in again, because your session has expired.") 64 37 else: 65 38 message = "" … … 94 67 user.last_login = datetime.datetime.now() 95 68 user.save() 96 if request.POST.has_key('post_data'): 97 post_data = _decode_post_data(request.POST['post_data']) 98 if post_data and not post_data.has_key(LOGIN_FORM_KEY): 99 # overwrite request.POST with the saved post_data, and continue 100 request.POST = post_data 101 request.user = user 102 return view_func(request, *args, **kwargs) 103 else: 104 request.session.delete_test_cookie() 105 return http.HttpResponseRedirect(request.path) 69 return http.HttpResponseRedirect(request.path) 106 70 else: 107 71 return _display_login_form(request, ERROR_MESSAGE) django/trunk/django/contrib/admin/sites.py
r8679 r8877 1 1 import base64 2 import cPickle as pickle3 2 import re 4 5 3 from django import http, template 6 4 from django.contrib.admin import ModelAdmin … … 25 23 pass 26 24 27 def _encode_post_data(post_data):28 pickled = pickle.dumps(post_data)29 pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest()30 return base64.encodestring(pickled + pickled_md5)31 32 def _decode_post_data(encoded_data):33 encoded_data = base64.decodestring(encoded_data)34 pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]35 if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:36 from django.core.exceptions import SuspiciousOperation37 raise SuspiciousOperation, "User may have tampered with session cookie."38 return pickle.loads(pickled)39 40 25 class AdminSite(object): 41 26 """ … … 240 225 if not request.POST.has_key(LOGIN_FORM_KEY): 241 226 if request.POST: 242 message = _("Please log in again, because your session has expired. Don't worry: Your submission has been saved.")227 message = _("Please log in again, because your session has expired.") 243 228 else: 244 229 message = "" … … 276 261 if user.is_active and user.is_staff: 277 262 login(request, user) 278 if request.POST.has_key('post_data'): 279 post_data = _decode_post_data(request.POST['post_data']) 280 if post_data and not post_data.has_key(LOGIN_FORM_KEY): 281 # overwrite request.POST with the saved post_data, and continue 282 request.POST = post_data 283 request.user = user 284 return self.root(request, request.path.split(self.root_path)[-1]) 285 else: 286 return http.HttpResponseRedirect(request.get_full_path()) 263 return http.HttpResponseRedirect(request.get_full_path()) 287 264 else: 288 265 return self.display_login_form(request, ERROR_MESSAGE) … … 346 323 def display_login_form(self, request, error_message='', extra_context=None): 347 324 request.session.set_test_cookie() 348 if request.POST and request.POST.has_key('post_data'):349 # User has failed login BUT has previously saved post data.350 post_data = request.POST['post_data']351 elif request.POST:352 # User's session must have expired; save their post data.353 post_data = _encode_post_data(request.POST)354 else:355 post_data = _encode_post_data({})356 357 325 context = { 358 326 'title': _('Log in'), 359 327 'app_path': request.get_full_path(), 360 'post_data': post_data,361 328 'error_message': error_message, 362 329 'root_path': self.root_path, django/trunk/django/contrib/admin/templates/admin/login.html
r7967 r8877 22 22 <label for="id_password">{% trans 'Password:' %}</label> <input type="password" name="password" id="id_password" /> 23 23 <input type="hidden" name="this_is_the_login_form" value="1" /> 24 <input type="hidden" name="post_data" value="{{ post_data }}" /> {#<span class="help">{% trans 'Have you <a href="/password_reset/">forgotten your password</a>?' %}</span>#}25 24 </div> 26 25 <div class="submit-row"> django/trunk/django/contrib/admin/views/decorators.py
r8509 r8877 1 1 import base64 2 import cPickle as pickle3 2 try: 4 3 from functools import wraps … … 12 11 from django.shortcuts import render_to_response 13 12 from django.utils.translation import ugettext_lazy, ugettext as _ 14 from django.utils.hashcompat import md5_constructor15 13 16 14 ERROR_MESSAGE = ugettext_lazy("Please enter a correct username and password. Note that both fields are case-sensitive.") … … 19 17 def _display_login_form(request, error_message=''): 20 18 request.session.set_test_cookie() 21 if request.POST and 'post_data' in request.POST:22 # User has failed login BUT has previously saved post data.23 post_data = request.POST['post_data']24 elif request.POST:25 # User's session must have expired; save their post data.26 post_data = _encode_post_data(request.POST)27 else:28 post_data = _encode_post_data({})29 19 return render_to_response('admin/login.html', { 30 20 'title': _('Log in'), 31 21 'app_path': request.get_full_path(), 32 'post_data': post_data,33 22 'error_message': error_message 34 23 }, context_instance=template.RequestContext(request)) 35 36 def _encode_post_data(post_data):37 pickled = pickle.dumps(post_data)38 pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest()39 return base64.encodestring(pickled + pickled_md5)40 41 def _decode_post_data(encoded_data):42 encoded_data = base64.decodestring(encoded_data)43 pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]44 if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:45 from django.core.exceptions import SuspiciousOperation46 raise SuspiciousOperation, "User may have tampered with session cookie."47 return pickle.loads(pickled)48 24 49 25 def staff_member_required(view_func): … … 55 31 if request.user.is_authenticated() and request.user.is_staff: 56 32 # The user is valid. Continue to the admin page. 57 if 'post_data' in request.POST:58 # User must have re-authenticated through a different window59 # or tab.60 request.POST = _decode_post_data(request.POST['post_data'])61 33 return view_func(request, *args, **kwargs) 62 34 … … 66 38 if LOGIN_FORM_KEY not in request.POST: 67 39 if request.POST: 68 message = _("Please log in again, because your session has expired. Don't worry: Your submission has been saved.")40 message = _("Please log in again, because your session has expired.") 69 41 else: 70 42 message = "" … … 99 71 if user.is_active and user.is_staff: 100 72 login(request, user) 101 # TODO: set last_login with an event. 102 if 'post_data' in request.POST: 103 post_data = _decode_post_data(request.POST['post_data']) 104 if post_data and LOGIN_FORM_KEY not in post_data: 105 # overwrite request.POST with the saved post_data, and continue 106 request.POST = post_data 107 request.user = user 108 return view_func(request, *args, **kwargs) 109 else: 110 return http.HttpResponseRedirect(request.get_full_path()) 73 return http.HttpResponseRedirect(request.get_full_path()) 111 74 else: 112 75 return _display_login_form(request, ERROR_MESSAGE) django/trunk/tests/regressiontests/admin_views/tests.py
r8704 r8877 5 5 from django.contrib.contenttypes.models import ContentType 6 6 from django.contrib.admin.models import LogEntry 7 from django.contrib.admin.sites import LOGIN_FORM_KEY , _encode_post_data7 from django.contrib.admin.sites import LOGIN_FORM_KEY 8 8 from django.contrib.admin.util import quote 9 9 from django.utils.html import escape … … 137 137 138 138 # login POST dicts 139 self.super_login = { 'post_data': _encode_post_data({}),139 self.super_login = { 140 140 LOGIN_FORM_KEY: 1, 141 141 'username': 'super', 142 142 'password': 'secret'} 143 self.super_email_login = { 'post_data': _encode_post_data({}),143 self.super_email_login = { 144 144 LOGIN_FORM_KEY: 1, 145 145 'username': 'super@example.com', 146 146 'password': 'secret'} 147 self.super_email_bad_login = { 'post_data': _encode_post_data({}),147 self.super_email_bad_login = { 148 148 LOGIN_FORM_KEY: 1, 149 149 'username': 'super@example.com', 150 150 'password': 'notsecret'} 151 self.adduser_login = { 'post_data': _encode_post_data({}),151 self.adduser_login = { 152 152 LOGIN_FORM_KEY: 1, 153 153 'username': 'adduser', 154 154 'password': 'secret'} 155 self.changeuser_login = { 'post_data': _encode_post_data({}),155 self.changeuser_login = { 156 156 LOGIN_FORM_KEY: 1, 157 157 'username': 'changeuser', 158 158 'password': 'secret'} 159 self.deleteuser_login = { 'post_data': _encode_post_data({}),159 self.deleteuser_login = { 160 160 LOGIN_FORM_KEY: 1, 161 161 'username': 'deleteuser', 162 162 'password': 'secret'} 163 self.joepublic_login = { 'post_data': _encode_post_data({}),163 self.joepublic_login = { 164 164 LOGIN_FORM_KEY: 1, 165 165 'username': 'joepublic', … … 272 272 self.client.get('/test_admin/admin/logout/') 273 273 274 # Check and make sure that if user expires, data still persists275 post = self.client.post('/test_admin/admin/admin_views/article/add/', add_dict)276 self.assertContains(post, 'Please log in again, because your session has expired.')277 self.super_login['post_data'] = _encode_post_data(add_dict)278 post = self.client.post('/test_admin/admin/admin_views/article/add/', self.super_login)279 # make sure the view removes test cookie280 self.failUnlessEqual(self.client.session.test_cookie_worked(), False)281 self.assertRedirects(post, '/test_admin/admin/admin_views/article/')282 self.failUnlessEqual(Article.objects.all().count(), 4)283 self.client.get('/test_admin/admin/logout/')284 285 274 # 8509 - if a normal user is already logged in, it is possible 286 275 # to change user into the superuser without error … … 490 479 def setUp(self): 491 480 # login POST dicts 492 self.super_login = { 'post_data': _encode_post_data({}),481 self.super_login = { 493 482 LOGIN_FORM_KEY: 1, 494 483 'username': 'super', 495 484 'password': 'secret'} 496 self.super_email_login = { 'post_data': _encode_post_data({}),485 self.super_email_login = { 497 486 LOGIN_FORM_KEY: 1, 498 487 'username': 'super@example.com', 499 488 'password': 'secret'} 500 self.super_email_bad_login = { 'post_data': _encode_post_data({}),489 self.super_email_bad_login = { 501 490 LOGIN_FORM_KEY: 1, 502 491 'username': 'super@example.com', 503 492 'password': 'notsecret'} 504 self.adduser_login = { 'post_data': _encode_post_data({}),493 self.adduser_login = { 505 494 LOGIN_FORM_KEY: 1, 506 495 'username': 'adduser', 507 496 'password': 'secret'} 508 self.changeuser_login = { 'post_data': _encode_post_data({}),497 self.changeuser_login = { 509 498 LOGIN_FORM_KEY: 1, 510 499 'username': 'changeuser', 511 500 'password': 'secret'} 512 self.deleteuser_login = { 'post_data': _encode_post_data({}),501 self.deleteuser_login = { 513 502 LOGIN_FORM_KEY: 1, 514 503 'username': 'deleteuser', 515 504 'password': 'secret'} 516 self.joepublic_login = { 'post_data': _encode_post_data({}),505 self.joepublic_login = { 517 506 LOGIN_FORM_KEY: 1, 518 507 'username': 'joepublic', … … 598 587 self.assert_(login.context[0].get('error_message')) 599 588 600 # Check and make sure that if user expires, data still persists601 data = {'foo': 'bar'}602 post = self.client.post('/test_admin/admin/secure-view/', data)603 self.assertContains(post, 'Please log in again, because your session has expired.')604 self.super_login['post_data'] = _encode_post_data(data)605 post = self.client.post('/test_admin/admin/secure-view/', self.super_login)606 # make sure the view removes test cookie607 self.failUnlessEqual(self.client.session.test_cookie_worked(), False)608 self.assertContains(post, "{'foo': 'bar'}")609 self.client.get('/test_admin/admin/logout/')610 611 589 # 8509 - if a normal user is already logged in, it is possible 612 590 # to change user into the superuser without error
