Changes between Version 2 and Version 3 of Ticket #36542, comment 8
- Timestamp:
- Mar 21, 2026, 9:01:47 AM (2 weeks ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #36542, comment 8
v2 v3 4 4 - As far as I can tell, all of the built-in auth views are decorated with the appropriate `sensitive_post_parameters` decorators. 5 5 - The admin login/user views use the aforementioned built-in views for most of the heavy lifting, and so are protected too. (This is because even if the “top-level” view isn’t decorated, `sensitive_post_parameters` gets set on the request further down - which is all that matters). 6 - Most of the associated authentication functions are decorated with the appropriate sensitive_variables decorators.6 - Most of the associated authentication functions further down the stack are decorated with the appropriate sensitive_variables decorators. 7 7 8 8 The above is to say, that all-in-all, even with `include_html=True` everything is actually already pretty well locked down. The reason the password appears in the screenshot above is that some of the functions deeper down the stack (at the auth-backend / model level) aren’t decorated with the `sensitive_variables` decorator.