id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
35288	login_required / user_passes_test redirects back to POST-only view	Patrick Rauscher	nobody	"Assume an application with session timeout and a login restricted area. In this area there is a form, POSTing its content to a view which has `@require_http_methods([""POST""])` as a security percaution.

A valid user visits the site with the form, stays there long enough for the session to time out and submits the form. Django will check if the user is logged in, which leads to `user_passes_test` evaluating to false and redirecting the user back to login while setting the next-url-parameter to the submit-view. After login, the user is redirected to the view which returns error 405 due to `@require_http_methods([""POST""])`.

I'm quite sure this is a bug, as 405 would not be the error he anticipates, but I'm not too sure about a possible fix. One solution would be to check in `user_passes_test` if we have a POST/PUT/...-Request and try to use Referer in that case?"	New feature	closed	contrib.auth	5.0	Normal	wontfix			Unreviewed	0	0	0	0	0	0