When /admin/login/ is accessed directly, there is 302 /admin/login/ after POST, and only then 302 /admin/

[Jan Pazdziora]

While investigating the behaviour for https://code.djangoproject.com/ticket/25030 in more detail, I've noticed that when I access (unauthenticated, via GET) /admin/login/ directly, the access_log shows

GET /admin/login/ HTTP/1.1" 200 1716
POST /admin/login/ HTTP/1.1" 302 - 
GET /admin/login/ HTTP/1.1" 302 - 
GET /admin/ HTTP/1.1" 200 2826

The result of the form submission (the POST) is redirect to /admin/login/ again. It seems to be caused by

        if (REDIRECT_FIELD_NAME not in request.GET and
                REDIRECT_FIELD_NAME not in request.POST):
            context[REDIRECT_FIELD_NAME] = request.get_full_path()

When REDIRECT_FIELD_NAME is missing, why is the redirect going to /admin/login/ again? Wouldn't /admin/ be a better target?

Of course, the

        if request.method == 'GET' and self.has_permission(request):
            # Already logged-in, redirect to admin index
            index_path = reverse('admin:index', current_app=self.name)
            return HttpResponseRedirect(index_path)

will eventually throw it back to /admin/.

This might seem like nitpicking but figuring out correct intended behaviour seems essential when I'm attempting to make changes to it to better support external authentication.

[Jan Pazdziora]

Filed ​https://github.com/django/django/pull/4927 to use the same default redirect target as the authenticated GET access.

[Tim Graham <timograham@…>]

In 3353684:

Fixed #25032 -- Removed double redirect in admin login.