diff options
| author | Tim Graham <timograham@gmail.com> | 2013-08-02 14:46:17 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2013-08-02 14:46:51 -0400 |
| commit | 97254154ab43d7973fba09ccd7ab548866f83e03 (patch) | |
| tree | 05f1399d107755ff173b8feebaa59e78807944c2 | |
| parent | 4e7745cc1c89a0c464b752e6da7c1fe7bce948d0 (diff) | |
[1.6.x] Fixed #18923 -- Corrected usage of sensitive_post_parameters in contrib.auth
Thanks Collin Anderson for the report.
Backport of 425d076d0c from master
| -rw-r--r-- | django/contrib/auth/admin.py | 5 | ||||
| -rw-r--r-- | django/views/decorators/debug.py | 6 |
2 files changed, 9 insertions, 2 deletions
diff --git a/django/contrib/auth/admin.py b/django/contrib/auth/admin.py index 5e424de346..033e3cf6e1 100644 --- a/django/contrib/auth/admin.py +++ b/django/contrib/auth/admin.py @@ -17,6 +17,7 @@ from django.views.decorators.csrf import csrf_protect from django.views.decorators.debug import sensitive_post_parameters csrf_protect_m = method_decorator(csrf_protect) +sensitive_post_parameters_m = method_decorator(sensitive_post_parameters()) class GroupAdmin(admin.ModelAdmin): @@ -90,7 +91,7 @@ class UserAdmin(admin.ModelAdmin): return False return super(UserAdmin, self).lookup_allowed(lookup, value) - @sensitive_post_parameters() + @sensitive_post_parameters_m @csrf_protect_m @transaction.atomic def add_view(self, request, form_url='', extra_context=None): @@ -121,7 +122,7 @@ class UserAdmin(admin.ModelAdmin): return super(UserAdmin, self).add_view(request, form_url, extra_context) - @sensitive_post_parameters() + @sensitive_post_parameters_m def user_change_password(self, request, id, form_url=''): if not self.has_change_permission(request): raise PermissionDenied diff --git a/django/views/decorators/debug.py b/django/views/decorators/debug.py index 78ae6b1442..a611981e79 100644 --- a/django/views/decorators/debug.py +++ b/django/views/decorators/debug.py @@ -1,5 +1,7 @@ import functools +from django.http import HttpRequest + def sensitive_variables(*variables): """ @@ -62,6 +64,10 @@ def sensitive_post_parameters(*parameters): def decorator(view): @functools.wraps(view) def sensitive_post_parameters_wrapper(request, *args, **kwargs): + assert isinstance(request, HttpRequest), ( + "sensitive_post_parameters didn't receive an HttpRequest. If you " + "are decorating a classmethod, be sure to use @method_decorator." + ) if parameters: request.sensitive_post_parameters = parameters else: |
