Opened 8 years ago

Closed 7 years ago

Last modified 3 years ago

#3393 closed (fixed)

login view assumes 'set_test_cookie' has been called

Reported by: ubernostrum Owned by: jacob
Component: Contrib apps Version: master
Severity: Keywords: auth login set_test_cookie
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: UI/UX:

Description

Currently, django.contrib.auth.views.login instantiates AuthenticationForm by passing it the request, which is optional; when this happens, AuthenticationForm will fail on valid logins unless set_test_cookie has been called previously. The login view itself does this, but this prevents easy reusability -- it's a fairly common use case to want to display a login box on each page for non-authenticated users, which means that each view in use must call set_test_cookie to ensure that the POST to login won't fail.

A simple solution to this would be to stop passing the request to AuthenticationForm. Perhaps a more flexible solution would be for login to begin taking a keyword argument to determine whether it should pass the request or not (and hence, whether set_test_cookie will be required or not)

Attachments (2)

3393.diff (624 bytes) - added by ubernostrum 7 years ago.
Simpler patch
3393_2.diff (1.0 KB) - added by lcordier 7 years ago.

Download all attachments as: .zip

Change History (13)

comment:1 Changed 8 years ago by ubernostrum

And Jacob has suggested just yanking the test out of AuthenticationForm; I'll work on a patch for that, since it sounds like a better idea (though it means that any code which uses AuthenticationForm will now need to remember to test for cookies on its own).

comment:2 Changed 8 years ago by Gary Wilson <gary.wilson@…>

  • Has patch set
  • Patch needs improvement set
  • Triage Stage changed from Unreviewed to Accepted

Changed 7 years ago by ubernostrum

Simpler patch

comment:3 Changed 7 years ago by jacob

  • Owner changed from nobody to jacob
  • Status changed from new to assigned

comment:4 Changed 7 years ago by lcordier

3393.diff have problems with the deletion of the test-cookie, when it has not been set.

Changed 7 years ago by lcordier

comment:5 Changed 7 years ago by MiguelFilho <miguel.filho@…>

I have just faced this problem. I was doing a post from a custom view and had the exactly same problem described by ubernostrum.

I've applied 3393_2.diff against trunk and it worked fine for me.

Any chance to get this merged?

comment:6 Changed 7 years ago by kcarnold

I was seeing odd problems of a single-page login only working in weird circumstances. This patch fixed it immediately. +1 by me.

(I don't bother testing for cookie support anywhere in my app. Maybe I should?)

comment:7 Changed 7 years ago by lcordier

I am not sure, but maybe we should un-tick the "Patch needs improvement" flag for the triagers to evaluate the new patch ?
Otherwise it would help if they can indicate what types of improvements that are needed.

comment:8 Changed 7 years ago by jacob

  • milestone set to 1.0

comment:9 Changed 7 years ago by SmileyChris

I get the point of this ticket, but it is killing existing functionality.

Perhaps a better solution would be to have an attribute on the view which, if set, avoids the set_test_cookie option. Then people can just pass this arg to the login view in their url conf.

comment:10 Changed 7 years ago by jacob

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [7692]) Fixed #3393: login view no longer assumes that set_test_cookie has been called. This is mildly backwards-incompatible, but in the "now it works the way it should have all along" sense. Thanks to James and lcordier for the patches.

comment:11 Changed 3 years ago by jacob

  • milestone 1.0 deleted

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top