#28229 closed Bug (fixed)
The "next" variable is set in the login page, even when accessed directly
Reported by: | Shrikant Sharat | Owned by: | Mikhail Golubev |
---|---|---|---|
Component: | contrib.auth | Version: | 1.11 |
Severity: | Normal | Keywords: | auth |
Cc: | shrikantsharat.k@… | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
In the default authentication system, when a user tries to access a protected page without logging in, he/she gets redirected to the login page. When this happens, the next
template variable is set to the URL of the protected page. This is working fine.
However, when the user directly opens up the login page, for example by entering the URL in the address bar, the next
template variable should not be set. But it is set to settings.LOGIN_REDIRECT_URL
(or it's default value), which is unexpected.
Because of this, if we are using the template for login.html
as given in the documentation, we see the Please login to see this page.
message even when the user opens the login page directly.
I tried to debug to find where the problem is, and found it in django.contrib.auth.views.LoginView
class. This class has a method get_success_url
which gets the redirect url either from the next
parameter or from the LOGIN_REDIRECT_URL
. This method is being also used to populate the context for the login form in the method get_context_data
, which, in my opinion is incorrect. The dispatch method also uses the get_success_url
to get the redirect url, which is correct because the purpose there is to actually redirect.
Change History (6)
comment:1 by , 8 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 8 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 8 years ago
Owner: | changed from | to
---|
This behaviour changed in 78963495d0caadb77eb97ccf319ef0ba3b204fb5. It used to be the empty string if no
next
parameter was passed through GET or POST, and it was only resolved toLOGIN_REDIRECT_URL
when the user had to be redirected, after the login.