id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
21911	Admin login can cause data loss	Raymond Penners	nobody	"Prerequisites: plain Django project with admin enabled, no CSRF middleware

To reproduce:
1. Open up a browser, make sure you are not logged in 
2. Open up two tabs, both visiting: /admin/sites/site/add/
3. You should be presented with a login form in both tabs.
4. Login in tab 1).
5. Switch to tab 2), also login.

Expected result:
6. You end up at /admin/sites/site/add/ via a GET request

Actual result:
6. the login as part of login at 2) fires its POST data at the /admin/sites/site/add/ view, 
(proven by the fact that you will see validation errors)


Now, while in this case the actual result may seem rather harmless, we have had an incident where somebody unknowingly destroyed precious data by doing this. This may happen if the URL belongs to an update URL, and, the form happens to be considered valid (e.g. if no fields are required you will essentially blank out the model you are updating).

Why doesn't the staff_member_required decorator use redirects to redirect to separate login view, with next=/admin/sites/add ?
"	Bug	closed	contrib.admin	dev	Release blocker	fixed		raymond.penners@…	Accepted	1	0	0	0	0	0