Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#28229 closed Bug (fixed)

The "next" variable is set in the login page, even when accessed directly

Reported by: Shrikant Sharat Owned by: Mikhail Golubev
Component: contrib.auth Version: 1.11
Severity: Normal Keywords: auth
Cc: shrikantsharat.k@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

In the default authentication system, when a user tries to access a protected page without logging in, he/she gets redirected to the login page. When this happens, the next template variable is set to the URL of the protected page. This is working fine.

However, when the user directly opens up the login page, for example by entering the URL in the address bar, the next template variable should not be set. But it is set to settings.LOGIN_REDIRECT_URL (or it's default value), which is unexpected.

Because of this, if we are using the template for login.html as given in the documentation, we see the Please login to see this page. message even when the user opens the login page directly.

I tried to debug to find where the problem is, and found it in django.contrib.auth.views.LoginView class. This class has a method get_success_url which gets the redirect url either from the next parameter or from the LOGIN_REDIRECT_URL. This method is being also used to populate the context for the login form in the method get_context_data, which, in my opinion is incorrect. The dispatch method also uses the get_success_url to get the redirect url, which is correct because the purpose there is to actually redirect.

Change History (6)

comment:1 Changed 3 years ago by Marten Kenbeek

Triage Stage: UnreviewedAccepted

This behaviour changed in 78963495d0caadb77eb97ccf319ef0ba3b204fb5. It used to be the empty string if no next parameter was passed through GET or POST, and it was only resolved to LOGIN_REDIRECT_URL when the user had to be redirected, after the login.

comment:2 Changed 3 years ago by Scott Vitale

Owner: changed from nobody to Scott Vitale
Status: newassigned

comment:3 Changed 3 years ago by Mikhail Golubev

Owner: changed from Scott Vitale to Mikhail Golubev

comment:4 Changed 3 years ago by Tim Graham

Has patch: set

comment:5 Changed 2 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In e7dc39fb:

Fixed #28229 -- Fixed the value of LoginView's "next" template variable.

comment:6 Changed 2 years ago by Tim Graham <timograham@…>

In 16431b0:

[1.11.x] Fixed #28229 -- Fixed the value of LoginView's "next" template variable.

Backport of e7dc39fb65e51d7613c941f7e5768b621dea4e76 from master

Note: See TracTickets for help on using tickets.
Back to Top