#18923 closed Bug (fixed)
user admin sensitive_post_parameters needs method_decorator
| Reported by: | zbohm | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | cmawebsite@…, timograham@… | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
Decorator sensitive_post_parameters does not work with class method and method_decorator(sensitive_post_parameters) also does not help.
contrib/auth/admin.py:
@sensitive_post_parameters() def user_change_password(self, request, id, form_url=''): if not self.has_change_permission(request): raise PermissionDenied user = get_object_or_404(self.queryset(request), pk=id) if request.method == 'POST': raise Exception("Show me the debug page.")
do not hide POST parameters on the output:
Variable Value password_form u'1' csrfmiddlewaretoken u'BC3JzQcQAUlhnEGKwykvJfNfRCN28NA2' old_password u'oldpassword' new_password1 u'newpassword' new_password2 u'newpassword'
Attachments (3)
Change History (13)
by , 12 years ago
| Attachment: | 0001-Fixed-18923-Add-decorator-sensitive_post_parameters_.patch added |
|---|
comment:1 by , 12 years ago
| Has patch: | set |
|---|
by , 12 years ago
| Attachment: | 0001-Ticket-18923-Add-test-for-ensitive_post_parameters.patch added |
|---|
comment:2 by , 12 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:3 by , 11 years ago
| Cc: | added |
|---|---|
| Easy pickings: | set |
| Has patch: | unset |
| Resolution: | invalid |
| Status: | closed → new |
| Summary: | Decorator sensitive_post_parameters does not work with class method → user admin sensitive_post_parameters needs method_decorator |
| Version: | 1.4 → master |
You are correct that sensitive_post_parameters does not work with class methods and you did correctly conclude that method_decorator(sensitive_post_parameters) works correctly. But you also correctly noticed that this is not working for user admin.
https://github.com/django/django/blob/master/django/contrib/auth/admin.py.
We need to change these two cases from @sensitive_post_parameters() to @method_decorator(sensitive_post_parameters())
by , 11 years ago
| Attachment: | 18923.diff added |
|---|
comment:4 by , 11 years ago
| Cc: | added |
|---|---|
| Has patch: | set |
| Triage Stage: | Unreviewed → Accepted |
Is it ok to add an assertion to detect misuse of the decorator (see patch)?
comment:6 by , 11 years ago
That wouldn't work -- for one thing, it would prevent GET requests. It's also less specific than the isinstance check. A view always (as far as I can think) receives an HttpRequest as the first argument. In the case where method_decorator isn't used, sensitive_post_parameters receives the class of the method that's being decorated which would cause the assertion to fail.
comment:7 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
It is possible to use
method_decorator. I have used it the wrong way in the previous case.tests/regressiontests/views/views.py
sensitive_variables('sauce')sensitive_post_parameters("password", "secret-key")