#10166 closed (wontfix)
Cookie test fails in login() view
| Reported by: | iakbar | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.0 |
| Severity: | Keywords: | authentication, cookie, login | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | yes | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The cookie test in the django.contrib.auth.views.login() view doesn't work as expected.
The url is set up as follows.
(r'^login/$', 'django.contrib.auth.views.login')
After disabling cookies in the browser...
- the login view is called via a GET request and displays the login
template/form (the test cookie is set).
- The form is posted back to the login view (the view is supposed to check
for the test cookie and throw an error if the cookie is not found. This
check doesn't happen).
The documentation of the init method of AuthenticationForm says it
will validate that cookies are enabled only if a request is passed in
when instantiating the form. But on POST the login view doesn't pass
the request to AuthenticationForm.
Change History (7)
comment:1 by , 16 years ago
| Component: | Uncategorized → Authentication |
|---|
comment:2 by , 16 years ago
| Has patch: | set |
|---|---|
| Needs tests: | set |
comment:3 by , 16 years ago
| milestone: | → 1.1 |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:4 by , 16 years ago
form = AuthenticationForm?(data=request.POST, request=request)
will enable the cookie test again. The question is, is it intended? Won't some existing applications break? The cookie test has been virtually disabled since [7962] which removed the argument request when AuthenticationForm was created. AuthenticationForm logic is, the test cookie is being checked for if and only if the request has been passed in __init__.
comment:5 by , 16 years ago
logic is, the test cookie is being checked for if and only if the request has been passed in init.
true, but it fails out for the generic view users.
Perhaps an optional variable could be passed to django.contrib.auth.login view, f.i. 'cookie_test = False', which would either pass the request object to the form or not.
a simple one liner would do the trick then:
form = AuthenticationForm(data=request.POST, request = request) if cookie_test else AuthenticationForm(data=request.POST)
comment:6 by , 16 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Yeah, the cookie test is deliberately disabled by default in the login view, and we'll keep it that way.
The fix is simple. Line 21 of the default django.contrib.auth.views file (of the 1.0.2 release) should be :
instead of