Opened 6 years ago

Last modified 6 years ago

#28779 new Cleanup/optimization

Customizing REDIRECT_FIELD_NAME is cumbersome

Reported by: Meiyer Owned by: nobody
Component: contrib.auth Version: 1.11
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When a custom REDIRECT_FIELD_NAME is defined (for example, for the LoginView in urls.py), the two views PasswordChangeView and PasswordChangeDoneView will still use the built-in name next. This is due to the decorator django.contrib.auth.decorators.login_required which uses the name from django.contrib.auth.REDIRECT_FIELD_NAME and is not customizable.

Change History (4)

comment:1 by Tim Graham, 6 years ago

Component: Core (URLs)contrib.auth
Type: BugCleanup/optimization

As far as I see, the problem isn't specific to the password change views. If you customize LoginView.redirect_field_name, then you need to update all views decorated with login_required() to use @login_required(redirect_field_name='...'). The problem is that you can't make this change in views in third-party apps. For that reason, I wonder if it would have been better to make REDIRECT_FIELD_NAME customization use a setting (as originally proposed in #5394) rather than an argument.

comment:2 by Meiyer, 6 years ago

Currently, in order to make Django (by itself, without 3rd-party apps!) work as expected with a customized REDIRECT_FIELD_NAME, one has to:

  1. subclass LoginView (or provide a value in urls.py via LoginView.as_view())
  2. subclass LogoutView (or provide a value in urls.py via LogoutView.as_view())
  3. subclass LoginRequiredMixin
  4. subclass PermissionRequiredMixin
  5. subclass UserPassesTestMixin
  6. subclass any view that uses the login_required decorator, that is, PasswordChangeView, PasswordChangeDoneView
    • if a custom view uses the decorator, one has to remember to modify it as well
  7. subclass any view that uses the user_passes_test decorator (currently only in Admin)
    • if a custom view uses the decorator, one has to remember to modify it as well
  8. build own special treatment of redirection for flat pages that require registration (no subclassing is possible)

This does not make sense.

Last edited 6 years ago by Meiyer (previous) (diff)

comment:3 by Tim Graham, 6 years ago

Summary: PasswordChangeView and PasswordChangeDoneView do not use a custom REDIRECT_FIELD_NAMECustomizing REDIRECT_FIELD_NAME is cumbersome
Triage Stage: UnreviewedAccepted

Perhaps it's worth making a proposal on the DevelopersMailingList. It would be interesting to research if this feature is used to solve a different use case or if it's mostly unused such that this issue hasn't come up before.

comment:4 by Mateusz Kurowski, 6 years ago

Here is a monkey patch i am using.
In the apps.py ready method.

 def ready(self):
        from django.conf import settings
        from django.contrib import auth
        auth.REDIRECT_FIELD_NAME = settings.REDIRECT_FIELD_NAME

I think its good for the security to allow this customization. It's always good to make identification of the framework running website harder.

Note: See TracTickets for help on using tickets.
Back to Top