sensitive_variables handling fails for methods

[Gabriel Hurley]

When attempting to decorate a class method with the "sensitive_variables" decorator (both with and without the "method_decorator" decorator) the expectation is that the variables will be properly filtered out.

However, that is not the case due to this line: ​https://github.com/django/django/blob/master/django/views/debug.py#L159

Since methods do not live in the global namespace, they're not found, and thereby the sensitive_variable stripping is bypassed.

This is non-obvious behavior and should either be documented or fixed to behave as expected.

[Gabriel Hurley]

It looks like checking to see if func is None, and then inspecting f_locals for "self" is a viable option to get at the decorated method, but I'm not 100% sure it's the best approach. Frame objects are painful.

That solution would look something like this: ​https://github.com/gabrielhurley/django/compare/sensitive_variables_for_methods

[Julien Phalip]

I can confirm this issue, thanks! I'm working on a patch now.

[Julien Phalip]

So I've got a patch here: ​https://github.com/django/django/pull/106

If we're good to merge it then we should also apply it to 1.4.1, as this is a bug in a security-related feature.

Any reviews welcome.

[Gabriel Hurley]

Looks good to me, Julien.

I like that approach. Nice and thorough. +1 on applying it to 1.4.1.

Thanks for carrying this one through to the end.

[Julien Phalip]

Great, thanks for the review Gabriel!
This was merged in [f699641161a4ec8b6cbee938fd3a4379e7889ff2].

[Julien Phalip <jphalip@…>]

In [4d2fdd41855e978ec5f3b8a03e8599994d7f5b70]:

[1.4.X] Fixed #18379 -- Made the sensitive_variables decorator work with object methods.