Ticket #18923: 18923.diff

django/contrib/auth/admin.py

@@ -17 +17 @@
 from django.views.decorators.debug import sensitive_post_parameters
 
 csrf_protect_m = method_decorator(csrf_protect)
+sensitive_post_parameters_m = method_decorator(sensitive_post_parameters())
 
 
 class GroupAdmin(admin.ModelAdmin):
@@ -87 +88 @@
             return False
         return super(UserAdmin, self).lookup_allowed(lookup, value)
 
-    @sensitive_post_parameters()
+    @sensitive_post_parameters_m
     @csrf_protect_m
     @transaction.atomic
     def add_view(self, request, form_url='', extra_context=None):
@@ -118 +119 @@
         return super(UserAdmin, self).add_view(request, form_url,
                                                extra_context)
 
-    @sensitive_post_parameters()
+    @sensitive_post_parameters_m
     def user_change_password(self, request, id, form_url=''):
         if not self.has_change_permission(request):
             raise PermissionDenied

django/views/decorators/debug.py

@@ -1 +1 @@
 import functools
 
+from django.http import HttpRequest
+
 
 def sensitive_variables(*variables):
     """
@@ -62 +64 @@
     def decorator(view):
         @functools.wraps(view)
         def sensitive_post_parameters_wrapper(request, *args, **kwargs):
+            assert isinstance(request, HttpRequest), (
+              "sensitive_post_parameters didn't receive an HttpRequest. If you "
+              "are decorating a classmethod, be sure to use @method_decorator."
+            )
             if parameters:
                 request.sensitive_post_parameters = parameters
             else: