diff options
| author | Jacob Kaplan-Moss <jacob@jacobian.org> | 2011-02-24 13:38:32 +0000 |
|---|---|---|
| committer | Jacob Kaplan-Moss <jacob@jacobian.org> | 2011-02-24 13:38:32 +0000 |
| commit | 062cbfb1ecbc21156c66196e55893481936dec84 (patch) | |
| tree | 99e2ac776c9515de6766e2b10c7e8a8fbbba6da7 /tests | |
| parent | fa1a74ff3c7069c6e442b31c0c3842a24a01fc8a (diff) | |
[1.2.X] Prevented non-admin users from accessing the admin redirect shortcut.
If the admin shortcut view (e.g. /admin/r/<content-type>/<pk>/) is
publically-accessible, and if a public users can guess a content-type ID
(which isn't hard given that they're sequential), then the redirect view could
possibly leak data by redirecting to pages a user shouldn't "know about." So
the redirect view needs the same protection as the rest of the admin site.
Thanks to Jason Royes for pointing this out.
Backport of [15639] from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15640 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/regressiontests/admin_views/tests.py | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/tests/regressiontests/admin_views/tests.py b/tests/regressiontests/admin_views/tests.py index a0fb87b2b4..d2d1967c05 100644 --- a/tests/regressiontests/admin_views/tests.py +++ b/tests/regressiontests/admin_views/tests.py @@ -1026,7 +1026,7 @@ class AdminViewStringPrimaryKeyTest(TestCase): self.assertContains(response, should_contain) -class SecureViewTest(TestCase): +class SecureViewTests(TestCase): fixtures = ['admin-views-users.xml'] def setUp(self): @@ -1150,6 +1150,25 @@ class SecureViewTest(TestCase): # make sure the view removes test cookie self.assertEqual(self.client.session.test_cookie_worked(), False) + def test_shortcut_view_only_available_to_staff(self): + """ + Only admin users should be able to use the admin shortcut view. + """ + user_ctype = ContentType.objects.get_for_model(User) + user = User.objects.get(username='super') + shortcut_url = "/test_admin/admin/r/%s/%s/" % (user_ctype.pk, user.pk) + + # Not logged in: we should see the login page. + response = self.client.get(shortcut_url, follow=False) + self.assertTemplateUsed(response, 'admin/login.html') + + # Logged in? Redirect. + self.client.login(username='super', password='secret') + response = self.client.get(shortcut_url, follow=False) + # Can't use self.assertRedirects() because User.get_absolute_url() is silly. + self.assertEqual(response.status_code, 302) + self.assertEqual(response['Location'], 'http://example.com/users/super/') + class AdminViewUnicodeTest(TestCase): fixtures = ['admin-views-unicode.xml'] @@ -2670,3 +2689,4 @@ class DateHierarchyTests(TestCase): self.assert_non_localized_year(response, 2000) self.assert_non_localized_year(response, 2003) self.assert_non_localized_year(response, 2005) + |