Admin doesn't handle double login attempts
|Reported by:||KJ||Owned by:||KJ|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||yes|
When sending login form on admin site when user is already logged in, admin view gets called as if no login attempt was being made. Login form POST data can then easily cause some of the admin views to break. Furthermore, sensitive_post_parameters decorator isn't applied because login view doesn't get called, so if an exception is raised, a traceback is emailed with username and password in plain text.
A real life example would be when user opens 2 tabs with login form, logs in on one of them and then forgets about it and tries to log in on the second.
Change History (13)
comment:1 Changed 3 years ago by KJ
- Has patch set
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
Changed 3 years ago by adupin
comment:11 Changed 3 years ago by ptone
- Patch needs improvement set
- Triage Stage changed from Ready for checkin to Accepted