id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36717	Admin login should redirect already logged-in users to page specified in next parameter	Benedict Etzel	Benedict Etzel	"The admin login page at `/admin/login/` ignores the `?next=` parameter when an already logged-in user visits the page. This differs from the behaviour when the user logs in on the admin login page itself, where they are redirected to the page indicated in the parameter.

== Background

When visiting the contrib.admin, the `AdminSite.login` method redirects logged-out users to a URL that looks like this: `/admin/login/?next=/admin/my_app/my_model/`. The `next` field (which is the value of `contrib.auth.REDIRECT_FIELD_NAME`) is then used to populate a hidden field login form (`contrib.auth.LoginView`).
After signing in, the `contrib.auth.RedirectURLMixin` of the `LoginView` redirects the user to the initially requested URL.

However, sometimes may re-visit `/admin/login/?next=/admin/my_app/my_model/` when they're already signed in. For example:
- by signing in to the site in another tab
- by using the browser's back button
- by following a bookmark
- after custom authenticating overriding `admin.site.login` (a good example is django-allauth's `secure_django_login` https://docs.allauth.org/en/dev/common/admin.html that redirects visitors to `/admin/login/` to a custom login and then back to `/admin/login/`. Even though it keeps `next` intact, Django will always redirect the - already logged-in - user back to the admin index)

Currently, `AdminSite.login` method disregards any `next` param in the URL for logged-in staff users and always redirects these to `admin:index`. This is slightly annoying because the user could be redirected these to the requested URL instead.

== To reproduce:
1. Sign out of your Django instance
2. Manually open an admin deeplink such as `/admin/my_app/my_model/`, which should redirect to `/admin/login/?next=/my_app/my_model/`
3. In another tab, sign in to your Django instance as staff
4. Back in the original tab, refresh the page. Observe how you are sent to `/admin/`, instead of `/admin/my_app/my_model/`

== Possible fix:
`AdminSite.login` could respect the redirect URL, and should probably run checks like `contrib.auth.views.RedirectURLMixin` (specifically `get_redirect_url`), to ensure that the URL is safe. I don't think there's a security issue here where somebody malicious links an admin to `/admin/login/?next=/attacker-provider`, because the attacker could already link a user directly to that page (or to the login form that then redirects the admin to the page).

I'm assigning this to myself for now to ""claim"" implementing this. I already have a working prototype locally."	Cleanup/optimization	closed	contrib.admin	5.2	Normal	fixed		Benedict Etzel	Ready for checkin	1	0	0	0	0	0