Opened 13 years ago

Closed 13 years ago

Last modified 12 years ago

#14405 closed (wontfix)

problem in login view

Reported by: Mehdi Bayazee Owned by: nobody
Component: contrib.auth Version: 1.2
Severity: Keywords: login
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If we use Django default auth views, after a login in website we can reopen login page and see this empty form.

I think the login view (django.contrib.auth.views.login) must be redirect to other page if user is already loged in.

Attachments (4)

patch-14405.diff (2.1 KB ) - added by Chris Tandiono 13 years ago.
patch
patch-14405.2.diff (1.6 KB ) - added by Chris Tandiono 13 years ago.
Actually i like this patch a little better.
patch-14405.3.diff (1.8 KB ) - added by Mehdi Bayazee 13 years ago.
patch-14405.4.diff (1.7 KB ) - added by Chris Tandiono 13 years ago.

Download all attachments as: .zip

Change History (15)

comment:1 by Chris Tandiono, 13 years ago

What's your settings.LOGIN_REDIRECT_URL? The default login view should redirect you automatically...

in reply to:  1 comment:2 by Mehdi Bayazee, 13 years ago

Replying to christandiono:

What's your settings.LOGIN_REDIRECT_URL? The default login view should redirect you automatically...

yes, it is work. but whats happen if some user use login url or we have some links to login page.
in this situation we can see empty login page again !!
and i think this is a bug.

by Chris Tandiono, 13 years ago

Attachment: patch-14405.diff added

patch

comment:3 by Chris Tandiono, 13 years ago

Hmm, so it does. This patch would seem to fix it...

by Chris Tandiono, 13 years ago

Attachment: patch-14405.2.diff added

Actually i like this patch a little better.

comment:4 by anonymous, 13 years ago

Has patch: set
Needs tests: set

by Mehdi Bayazee, 13 years ago

Attachment: patch-14405.3.diff added

comment:5 by Mehdi Bayazee, 13 years ago

but i think we must redirect user to redirect_to variable before any check or process of POST data.
redirecting to redirect_to after processing POST data may have security issue!
so i attach a new patch that i think is better to fix this ticket

comment:6 by Chris Tandiono, 13 years ago

Ah, that's true. A few exclusive ORs might have helped, maybe. I figured the second patch might reduce server load a bit.

by Chris Tandiono, 13 years ago

Attachment: patch-14405.4.diff added

comment:7 by Mehdi Bayazee, 13 years ago

Huum. But i think exclusive ORs is not good idea here.
If you trace possible states you see if a user already authenticated more than one IF will be run, and if a user not authenticated we run some IFs with exclusive ORs that in some cases 2nd part will be executed too.
so i think using one IF check is not bad and is inevitable

comment:8 by Chris Tandiono, 13 years ago

I'm not sure what you're saying. What, exactly, is the problem with using more than one IF statement? Due to short circuit evaluation no code will be evaluated that doesn't need to be, unless someone decides to try something funny and POSTs as an authenticated user or something else weird.

comment:9 by Mehdi Bayazee, 13 years ago

Huum.
Yes, I rechecked your code and i think it's better.
:D ;)

comment:10 by rasca, 13 years ago

Resolution: wontfix
Status: newclosed

I'll mark this as wontfix, because it would be a backwards incompatible change.

Feel free to bring this up on django-dev if you believe otherwise.

comment:11 by Jacob, 12 years ago

milestone: 1.3

Milestone 1.3 deleted

Note: See TracTickets for help on using tickets.
Back to Top