summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2013-08-02 14:46:17 -0400
committerTim Graham <timograham@gmail.com>2013-08-02 14:46:51 -0400
commit97254154ab43d7973fba09ccd7ab548866f83e03 (patch)
tree05f1399d107755ff173b8feebaa59e78807944c2
parent4e7745cc1c89a0c464b752e6da7c1fe7bce948d0 (diff)
[1.6.x] Fixed #18923 -- Corrected usage of sensitive_post_parameters in contrib.auth
Thanks Collin Anderson for the report. Backport of 425d076d0c from master
-rw-r--r--django/contrib/auth/admin.py5
-rw-r--r--django/views/decorators/debug.py6
2 files changed, 9 insertions, 2 deletions
diff --git a/django/contrib/auth/admin.py b/django/contrib/auth/admin.py
index 5e424de346..033e3cf6e1 100644
--- a/django/contrib/auth/admin.py
+++ b/django/contrib/auth/admin.py
@@ -17,6 +17,7 @@ from django.views.decorators.csrf import csrf_protect
from django.views.decorators.debug import sensitive_post_parameters
csrf_protect_m = method_decorator(csrf_protect)
+sensitive_post_parameters_m = method_decorator(sensitive_post_parameters())
class GroupAdmin(admin.ModelAdmin):
@@ -90,7 +91,7 @@ class UserAdmin(admin.ModelAdmin):
return False
return super(UserAdmin, self).lookup_allowed(lookup, value)
- @sensitive_post_parameters()
+ @sensitive_post_parameters_m
@csrf_protect_m
@transaction.atomic
def add_view(self, request, form_url='', extra_context=None):
@@ -121,7 +122,7 @@ class UserAdmin(admin.ModelAdmin):
return super(UserAdmin, self).add_view(request, form_url,
extra_context)
- @sensitive_post_parameters()
+ @sensitive_post_parameters_m
def user_change_password(self, request, id, form_url=''):
if not self.has_change_permission(request):
raise PermissionDenied
diff --git a/django/views/decorators/debug.py b/django/views/decorators/debug.py
index 78ae6b1442..a611981e79 100644
--- a/django/views/decorators/debug.py
+++ b/django/views/decorators/debug.py
@@ -1,5 +1,7 @@
import functools
+from django.http import HttpRequest
+
def sensitive_variables(*variables):
"""
@@ -62,6 +64,10 @@ def sensitive_post_parameters(*parameters):
def decorator(view):
@functools.wraps(view)
def sensitive_post_parameters_wrapper(request, *args, **kwargs):
+ assert isinstance(request, HttpRequest), (
+ "sensitive_post_parameters didn't receive an HttpRequest. If you "
+ "are decorating a classmethod, be sure to use @method_decorator."
+ )
if parameters:
request.sensitive_post_parameters = parameters
else: