Opened 41 hours ago

Last modified 33 hours ago

#36717 assigned Bug

Admin login should redirect already logged-in users to page specified in next parameter

Reported by: Benedict Etzel Owned by: Benedict Etzel
Component: contrib.admin Version: 5.2
Severity: Normal Keywords:
Cc: Benedict Etzel Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The admin login page at /admin/login/ ignores the ?next= parameter when an already logged-in user visits the page. This differs from the behaviour when the user logs in on the admin login page itself, where they are redirected to the page indicated in the parameter.

Background

When visiting the contrib.admin, the AdminSite.login method redirects logged-out users to a URL that looks like this: /admin/login/?next=/admin/my_app/my_model/. The next field (which is the value of contrib.auth.REDIRECT_FIELD_NAME) is then used to populate a hidden field login form (contrib.auth.LoginView).
After signing in, the contrib.auth.RedirectURLMixin of the LoginView redirects the user to the initially requested URL.

However, sometimes may re-visit /admin/login/?next=/admin/my_app/my_model/ when they're already signed in. For example:

  • by signing in to the site in another tab
  • by using the browser's back button
  • by following a bookmark
  • after custom authenticating overriding admin.site.login (a good example is django-allauth's secure_django_login https://docs.allauth.org/en/dev/common/admin.html that redirects visitors to /admin/login/ to a custom login and then back to /admin/login/. Even though it keeps next intact, Django will always redirect the - already logged-in - user back to the admin index)

Currently, AdminSite.login method disregards any next param in the URL for logged-in staff users and always redirects these to admin:index. This is slightly annoying because the user could be redirected these to the requested URL instead.

To reproduce:

  1. Sign out of your Django instance
  2. Manually open an admin deeplink such as /admin/my_app/my_model/, which should redirect to /admin/login/?next=/my_app/my_model/
  3. In another tab, sign in to your Django instance as staff
  4. Back in the original tab, refresh the page. Observe how you are sent to /admin/, instead of /admin/my_app/my_model/

Possible fix:

AdminSite.login could respect the redirect URL, and should probably run checks like contrib.auth.views.RedirectURLMixin (specifically get_redirect_url), to ensure that the URL is safe. I don't think there's a security issue here where somebody malicious links an admin to /admin/login/?next=/attacker-provider, because the attacker could already link a user directly to that page (or to the login form that then redirects the admin to the page).

I'm assigning this to myself for now to "claim" implementing this. I already have a working prototype locally.

Attachments (1)

test.diff (849 bytes ) - added by Benedict Etzel 33 hours ago.

Download all attachments as: .zip

Change History (3)

comment:1 by Benedict Etzel, 41 hours ago

Cc: Benedict Etzel added

by Benedict Etzel, 33 hours ago

Attachment: test.diff added

comment:2 by Benedict Etzel, 33 hours ago

I've attached the failing test case. I'll be working on this over in https://github.com/beheh/django/tree/ticket_36717.

Note: See TracTickets for help on using tickets.
Back to Top