Opened 4 years ago

Closed 3 years ago

#17216 closed Bug (duplicate)

Django contrib login view does not pass request to auth form on POST

Reported by: Zaar Hai <haizaar@…> Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords: auth, login
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Django auth login view pass request to auth form constructor on only on GET and not on POST.
I need this on post as well because it will enables doing additional validation in custom supplied auth form.

So how about the attached patch?

Attachments (1) (2.2 KB) - added by Zaar Hai <haizaar@…> 4 years ago.

Download all attachments as: .zip

Change History (6)

Changed 4 years ago by Zaar Hai <haizaar@…>

comment:1 Changed 4 years ago by ptone

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

Sending the request to the standard AuthenticationForm assumes that you have cookies enabled as it will trigger a cookie capability check. However the default session backend is the database backend, not the cookie backend. So changing the default behavior of the view to pass the request would break sites that don't require cookies, with browsers with cookies disabled.

Since you are already providing a customized auth form - the solution in this case is just to provide your own login view as well

comment:2 Changed 4 years ago by ptone

  • Resolution wontfix deleted
  • Status changed from closed to reopened
  • Triage Stage changed from Unreviewed to Accepted
  • Version changed from 1.3 to SVN

actually going to reverse myself here - while the default backend may be db - the cookie is still required for the sessionid - and in fact cookies are required for django auth to work.

So the entire code path that checks for cookies is not being used right now because of the missing request.

There are some other changes in the attached patch that don't seem to make sense, and new tests are needed - but this is a valid issue beyond just the need for access to the request.

Basically if you disable cookies - you will currently never get the error that cookies are required to login.

comment:3 Changed 4 years ago by ptone

The current patch does not seem to be against trunk - also see for comments on the use of data=request.POST or None

comment:4 Changed 3 years ago by aaugustin

  • Status changed from reopened to new

comment:5 Changed 3 years ago by chass

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #15198

Note: See TracTickets for help on using tickets.
Back to Top