diff options
| author | Markus Holtermann <info@markusholtermann.eu> | 2017-02-14 23:35:42 +0100 |
|---|---|---|
| committer | Markus Holtermann <info@markusholtermann.eu> | 2017-02-15 00:35:04 +0100 |
| commit | b9b35f9efabc19f6c58f2d5962a9e6d8dc53a786 (patch) | |
| tree | 732dac79ae89c3428a249e33a3e1db770319d17a | |
| parent | 103e6cf26c17ae650b7caa3956b87a215334d761 (diff) | |
Fixed #27840 -- Fixed KeyError in PasswordResetConfirmView.form_valid().
When a user is already logged in when submitting the password and
password confirmation to reset a password, a KeyError occurred while
removing the reset session token from the session.
Refs #17209
Thanks Quentin Marlats for the report and Florian Apolloner and Tim
Graham for the review.
| -rw-r--r-- | django/contrib/auth/views.py | 2 | ||||
| -rw-r--r-- | tests/auth_tests/test_views.py | 8 |
2 files changed, 9 insertions, 1 deletions
diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py index 85893aff8b..ae52f5414d 100644 --- a/django/contrib/auth/views.py +++ b/django/contrib/auth/views.py @@ -460,9 +460,9 @@ class PasswordResetConfirmView(PasswordContextMixin, FormView): def form_valid(self, form): user = form.save() + del self.request.session[INTERNAL_RESET_SESSION_TOKEN] if self.post_reset_login: auth_login(self.request, user) - del self.request.session[INTERNAL_RESET_SESSION_TOKEN] return super().form_valid(form) def get_context_data(self, **kwargs): diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py index 8f946a9a38..9284772268 100644 --- a/tests/auth_tests/test_views.py +++ b/tests/auth_tests/test_views.py @@ -327,6 +327,14 @@ class PasswordResetTest(AuthViewsTestCase): self.assertRedirects(response, '/reset/done/', fetch_redirect_response=False) self.assertIn(SESSION_KEY, self.client.session) + def test_confirm_login_post_reset_already_logged_in(self): + url, path = self._test_confirm_start() + path = path.replace('/reset/', '/reset/post_reset_login/') + self.login() + response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'}) + self.assertRedirects(response, '/reset/done/', fetch_redirect_response=False) + self.assertIn(SESSION_KEY, self.client.session) + def test_confirm_display_user_from_form(self): url, path = self._test_confirm_start() response = self.client.get(path) |
