#18923 closed Bug (fixed)
user admin sensitive_post_parameters needs method_decorator
Reported by: | zbohm | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | cmawebsite@…, timograham@… | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
Decorator sensitive_post_parameters does not work with class method and method_decorator(sensitive_post_parameters)
also does not help.
contrib/auth/admin.py:
@sensitive_post_parameters() def user_change_password(self, request, id, form_url=''): if not self.has_change_permission(request): raise PermissionDenied user = get_object_or_404(self.queryset(request), pk=id) if request.method == 'POST': raise Exception("Show me the debug page.")
do not hide POST parameters on the output:
Variable Value password_form u'1' csrfmiddlewaretoken u'BC3JzQcQAUlhnEGKwykvJfNfRCN28NA2' old_password u'oldpassword' new_password1 u'newpassword' new_password2 u'newpassword'
Attachments (3)
Change History (13)
by , 12 years ago
Attachment: | 0001-Fixed-18923-Add-decorator-sensitive_post_parameters_.patch added |
---|
comment:1 by , 12 years ago
Has patch: | set |
---|
by , 12 years ago
Attachment: | 0001-Ticket-18923-Add-test-for-ensitive_post_parameters.patch added |
---|
comment:2 by , 12 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:3 by , 11 years ago
Cc: | added |
---|---|
Easy pickings: | set |
Has patch: | unset |
Resolution: | invalid |
Status: | closed → new |
Summary: | Decorator sensitive_post_parameters does not work with class method → user admin sensitive_post_parameters needs method_decorator |
Version: | 1.4 → master |
You are correct that sensitive_post_parameters
does not work with class methods and you did correctly conclude that method_decorator(sensitive_post_parameters)
works correctly. But you also correctly noticed that this is not working for user admin.
https://github.com/django/django/blob/master/django/contrib/auth/admin.py.
We need to change these two cases from @sensitive_post_parameters()
to @method_decorator(sensitive_post_parameters())
by , 11 years ago
Attachment: | 18923.diff added |
---|
comment:4 by , 11 years ago
Cc: | added |
---|---|
Has patch: | set |
Triage Stage: | Unreviewed → Accepted |
Is it ok to add an assertion to detect misuse of the decorator (see patch)?
comment:6 by , 11 years ago
That wouldn't work -- for one thing, it would prevent GET
requests. It's also less specific than the isinstance
check. A view always (as far as I can think) receives an HttpRequest
as the first argument. In the case where method_decorator
isn't used, sensitive_post_parameters
receives the class of the method that's being decorated which would cause the assertion to fail.
comment:7 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
It is possible to use
method_decorator
. I have used it the wrong way in the previous case.tests/regressiontests/views/views.py
sensitive_variables('sauce')sensitive_post_parameters("password", "secret-key")