#14405 closed (wontfix)
problem in login view
Reported by: | Mehdi Bayazee | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 1.2 |
Severity: | Keywords: | login | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | yes | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
If we use Django default auth views, after a login in website we can reopen login page and see this empty form.
I think the login view (django.contrib.auth.views.login) must be redirect to other page if user is already loged in.
Attachments (4)
Change History (15)
follow-up: 2 comment:1 by , 14 years ago
comment:2 by , 14 years ago
Replying to christandiono:
What's your settings.LOGIN_REDIRECT_URL? The default login view should redirect you automatically...
yes, it is work. but whats happen if some user use login url or we have some links to login page.
in this situation we can see empty login page again !!
and i think this is a bug.
comment:4 by , 14 years ago
Has patch: | set |
---|---|
Needs tests: | set |
by , 14 years ago
Attachment: | patch-14405.3.diff added |
---|
comment:5 by , 14 years ago
but i think we must redirect user to redirect_to variable before any check or process of POST data.
redirecting to redirect_to after processing POST data may have security issue!
so i attach a new patch that i think is better to fix this ticket
comment:6 by , 14 years ago
Ah, that's true. A few exclusive ORs might have helped, maybe. I figured the second patch might reduce server load a bit.
by , 14 years ago
Attachment: | patch-14405.4.diff added |
---|
comment:7 by , 14 years ago
Huum. But i think exclusive ORs is not good idea here.
If you trace possible states you see if a user already authenticated more than one IF will be run, and if a user not authenticated we run some IFs with exclusive ORs that in some cases 2nd part will be executed too.
so i think using one IF check is not bad and is inevitable
comment:8 by , 14 years ago
I'm not sure what you're saying. What, exactly, is the problem with using more than one IF statement? Due to short circuit evaluation no code will be evaluated that doesn't need to be, unless someone decides to try something funny and POSTs as an authenticated user or something else weird.
comment:10 by , 14 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
I'll mark this as wontfix, because it would be a backwards incompatible change.
Feel free to bring this up on django-dev if you believe otherwise.
What's your settings.LOGIN_REDIRECT_URL? The default login view should redirect you automatically...