diff options
| author | Tim Graham <timograham@gmail.com> | 2014-04-10 08:03:50 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-04-17 20:07:05 -0400 |
| commit | 548acd77fd6356073ad4fa514c3d61f6589da43b (patch) | |
| tree | 6b0551cfff6cece21efff614573cbd62ddba530f | |
| parent | edaff9b0dffc9ad984671673214d671d84abe144 (diff) | |
[1.7.x] Fixed a KeyError on login with legacy sessions; refs #21649.
Thanks Loic for the report.
Backport of 11e30b684d from master
| -rw-r--r-- | django/contrib/auth/__init__.py | 2 | ||||
| -rw-r--r-- | django/contrib/auth/tests/test_views.py | 16 |
2 files changed, 17 insertions, 1 deletions
diff --git a/django/contrib/auth/__init__.py b/django/contrib/auth/__init__.py index 795365ae79..a316f6840b 100644 --- a/django/contrib/auth/__init__.py +++ b/django/contrib/auth/__init__.py @@ -86,7 +86,7 @@ def login(request, user): if SESSION_KEY in request.session: if request.session[SESSION_KEY] != user.pk or ( session_auth_hash and - request.session[HASH_SESSION_KEY] != session_auth_hash): + request.session.get(HASH_SESSION_KEY) != session_auth_hash): # To avoid reusing another user's session, create a new, empty # session if the existing session corresponds to a different # authenticated user. diff --git a/django/contrib/auth/tests/test_views.py b/django/contrib/auth/tests/test_views.py index 01e3825bf4..27de1e26b4 100644 --- a/django/contrib/auth/tests/test_views.py +++ b/django/contrib/auth/tests/test_views.py @@ -595,6 +595,22 @@ class LoginTest(AuthViewsTestCase): self.login(password='foobar') self.assertNotEqual(original_session_key, self.client.session.session_key) + def test_login_session_without_hash_session_key(self): + """ + Session without django.contrib.auth.HASH_SESSION_KEY should login + without an exception. + """ + user = User.objects.get(username='testclient') + engine = import_module(settings.SESSION_ENGINE) + session = engine.SessionStore() + session[SESSION_KEY] = user.id + session.save() + original_session_key = session.session_key + self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key + + self.login() + self.assertNotEqual(original_session_key, self.client.session.session_key) + @skipIfCustomUser class LoginURLSettings(AuthViewsTestCase): |
