Opened 12 years ago

Closed 11 years ago

Last modified 7 years ago

#3393 closed (fixed)

login view assumes 'set_test_cookie' has been called

Reported by: James Bennett Owned by: Jacob
Component: Contrib apps Version: master
Severity: Keywords: auth login set_test_cookie
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no


Currently, django.contrib.auth.views.login instantiates AuthenticationForm by passing it the request, which is optional; when this happens, AuthenticationForm will fail on valid logins unless set_test_cookie has been called previously. The login view itself does this, but this prevents easy reusability -- it's a fairly common use case to want to display a login box on each page for non-authenticated users, which means that each view in use must call set_test_cookie to ensure that the POST to login won't fail.

A simple solution to this would be to stop passing the request to AuthenticationForm. Perhaps a more flexible solution would be for login to begin taking a keyword argument to determine whether it should pass the request or not (and hence, whether set_test_cookie will be required or not)

Attachments (2)

3393.diff (624 bytes) - added by James Bennett 11 years ago.
Simpler patch
3393_2.diff (1.0 KB) - added by lcordier 11 years ago.

Download all attachments as: .zip

Change History (13)

comment:1 Changed 12 years ago by James Bennett

And Jacob has suggested just yanking the test out of AuthenticationForm; I'll work on a patch for that, since it sounds like a better idea (though it means that any code which uses AuthenticationForm will now need to remember to test for cookies on its own).

comment:2 Changed 12 years ago by Gary Wilson <gary.wilson@…>

Has patch: set
Patch needs improvement: set
Triage Stage: UnreviewedAccepted

Changed 11 years ago by James Bennett

Attachment: 3393.diff added

Simpler patch

comment:3 Changed 11 years ago by Jacob

Owner: changed from nobody to Jacob
Status: newassigned

comment:4 Changed 11 years ago by lcordier

3393.diff have problems with the deletion of the test-cookie, when it has not been set.

Changed 11 years ago by lcordier

Attachment: 3393_2.diff added

comment:5 Changed 11 years ago by MiguelFilho <miguel.filho@…>

I have just faced this problem. I was doing a post from a custom view and had the exactly same problem described by ubernostrum.

I've applied 3393_2.diff against trunk and it worked fine for me.

Any chance to get this merged?

comment:6 Changed 11 years ago by Kenneth Arnold

I was seeing odd problems of a single-page login only working in weird circumstances. This patch fixed it immediately. +1 by me.

(I don't bother testing for cookie support anywhere in my app. Maybe I should?)

comment:7 Changed 11 years ago by lcordier

I am not sure, but maybe we should un-tick the "Patch needs improvement" flag for the triagers to evaluate the new patch ?
Otherwise it would help if they can indicate what types of improvements that are needed.

comment:8 Changed 11 years ago by Jacob

milestone: 1.0

comment:9 Changed 11 years ago by Chris Beaven

I get the point of this ticket, but it is killing existing functionality.

Perhaps a better solution would be to have an attribute on the view which, if set, avoids the set_test_cookie option. Then people can just pass this arg to the login view in their url conf.

comment:10 Changed 11 years ago by Jacob

Resolution: fixed
Status: assignedclosed

(In [7692]) Fixed #3393: login view no longer assumes that set_test_cookie has been called. This is mildly backwards-incompatible, but in the "now it works the way it should have all along" sense. Thanks to James and lcordier for the patches.

comment:11 Changed 7 years ago by Jacob

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top