Admin login can cause data loss
|Reported by:||Raymond Penners||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Prerequisites: plain Django project with admin enabled, no CSRF middleware
- Open up a browser, make sure you are not logged in
- Open up two tabs, both visiting: /admin/sites/site/add/
- You should be presented with a login form in both tabs.
- Login in tab 1).
- Switch to tab 2), also login.
- You end up at /admin/sites/site/add/ via a GET request
- the login as part of login at 2) fires its POST data at the /admin/sites/site/add/ view,
(proven by the fact that you will see validation errors)
Now, while in this case the actual result may seem rather harmless, we have had an incident where somebody unknowingly destroyed precious data by doing this. This may happen if the URL belongs to an update URL, and, the form happens to be considered valid (e.g. if no fields are required you will essentially blank out the model you are updating).
Why doesn't the staff_member_required decorator use redirects to redirect to separate login view, with next=/admin/sites/add ?
Change History (10)
comment:1 Changed 3 years ago by
|Severity:||Normal → Release blocker|
|Triage Stage:||Unreviewed → Accepted|
comment:7 Changed 3 years ago by
|Triage Stage:||Ready for checkin → Accepted|