diff options
| author | Russell Keith-Magee <russell@keith-magee.com> | 2008-08-23 14:12:58 +0000 |
|---|---|---|
| committer | Russell Keith-Magee <russell@keith-magee.com> | 2008-08-23 14:12:58 +0000 |
| commit | a9ee1d4e28f4e6509dd910982b5504bc6a3554cc (patch) | |
| tree | e8a89cc0512b2d3ff6d3532721dad04c9baeb105 | |
| parent | 0f869f905e7d3a335ea9090fa079baf4b5883ec7 (diff) | |
Fixed #7776: Ensured that the test cookie is always deleted once a login has succeeded. Thanks for the report and fix, Mnewman.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8484 bcc190cf-cafb-0310-a4f2-bffc1f526a37
| -rw-r--r-- | django/contrib/admin/sites.py | 2 | ||||
| -rw-r--r-- | tests/regressiontests/admin_views/tests.py | 4 |
2 files changed, 5 insertions, 1 deletions
diff --git a/django/contrib/admin/sites.py b/django/contrib/admin/sites.py index 0407d3d47e..81e43a19cc 100644 --- a/django/contrib/admin/sites.py +++ b/django/contrib/admin/sites.py @@ -274,13 +274,13 @@ class AdminSite(object): login(request, user) if request.POST.has_key('post_data'): post_data = _decode_post_data(request.POST['post_data']) + request.session.delete_test_cookie() if post_data and not post_data.has_key(LOGIN_FORM_KEY): # overwrite request.POST with the saved post_data, and continue request.POST = post_data request.user = user return self.root(request, request.path.split(self.root_path)[-1]) else: - request.session.delete_test_cookie() return http.HttpResponseRedirect(request.get_full_path()) else: return self.display_login_form(request, ERROR_MESSAGE) diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py index 3101353aa2..16961adeab 100644 --- a/tests/regressiontests/admin_views/tests.py +++ b/tests/regressiontests/admin_views/tests.py @@ -237,6 +237,8 @@ class AdminViewPermissionsTest(TestCase): # Change User should not have access to add articles self.client.get('/test_admin/admin/') self.client.post('/test_admin/admin/', self.changeuser_login) + # make sure the view removes test cookie + self.failUnlessEqual(self.client.session.test_cookie_worked(), False) request = self.client.get('/test_admin/admin/admin_views/article/add/') self.failUnlessEqual(request.status_code, 403) # Try POST just to make sure @@ -266,6 +268,8 @@ class AdminViewPermissionsTest(TestCase): self.assertContains(post, 'Please log in again, because your session has expired.') self.super_login['post_data'] = _encode_post_data(add_dict) post = self.client.post('/test_admin/admin/admin_views/article/add/', self.super_login) + # make sure the view removes test cookie + self.failUnlessEqual(self.client.session.test_cookie_worked(), False) self.assertRedirects(post, '/test_admin/admin/admin_views/article/') self.failUnlessEqual(Article.objects.all().count(), 4) self.client.get('/test_admin/admin/logout/') |
