id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28229	"The ""next"" variable is set in the login page, even when accessed directly"	Shrikant Sharat	Mikhail Golubev	"In the default authentication system, when a user tries to access a protected page without logging in, he/she gets redirected to the login page. When this happens, the `next` template variable is set to the URL of the protected page. This is working fine.

However, when the user directly opens up the login page, for example by entering the URL in the address bar, the `next` template variable should not be set. But it is set to `settings.LOGIN_REDIRECT_URL` (or it's default value), which is unexpected.

Because of this, if we are using the template for `login.html` as given in the [https://docs.djangoproject.com/en/1.11/topics/auth/default/#django.contrib.auth.views.LoginView documentation], we see the `Please login to see this page.` message even when the user opens the login page directly.

I tried to debug to find where the problem is, and found it in `django.contrib.auth.views.LoginView` class. This class has a method `get_success_url` which gets the redirect url either from the `next` parameter or from the `LOGIN_REDIRECT_URL`. This method is being also used to populate the context for the login form in the method `get_context_data`, which, in my opinion is incorrect. The dispatch method also uses the `get_success_url` to get the redirect url, which is correct because the purpose there is to actually redirect.
"	Bug	closed	contrib.auth	1.11	Normal	fixed	auth	shrikantsharat.k@…	Accepted	1	0	0	0	1	0