From 13585de7ac2466d1ae9f6f651a57c8f088914e0a Mon Sep 17 00:00:00 2001 From: Claude Paroz Date: Sat, 10 Aug 2024 16:57:29 +0200 Subject: [PATCH] Standardized calling decorators on contrib.auth views. --- django/contrib/auth/views.py | 40 ++++++++++++------------------------ 1 file changed, 13 insertions(+), 27 deletions(-) diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py index a18cfdb347..f1dd8c6eb3 100644 --- a/django/contrib/auth/views.py +++ b/django/contrib/auth/views.py @@ -62,7 +62,10 @@ class RedirectURLMixin: raise ImproperlyConfigured("No URL to redirect to. Provide a next_page.") -@method_decorator(login_not_required, name="dispatch") +@method_decorator( + [login_not_required, sensitive_post_parameters(), csrf_protect, never_cache], + name="dispatch", +) class LoginView(RedirectURLMixin, FormView): """ Display the login form and handle the login action. @@ -74,9 +77,6 @@ class LoginView(RedirectURLMixin, FormView): redirect_authenticated_user = False extra_context = None - @method_decorator(sensitive_post_parameters()) - @method_decorator(csrf_protect) - @method_decorator(never_cache) def dispatch(self, request, *args, **kwargs): if self.redirect_authenticated_user and self.request.user.is_authenticated: redirect_to = self.get_success_url() @@ -122,6 +122,7 @@ class LoginView(RedirectURLMixin, FormView): return context +@method_decorator([csrf_protect, never_cache], name="dispatch") class LogoutView(RedirectURLMixin, TemplateView): """ Log out the user and display the 'You are logged out' message. @@ -131,11 +132,6 @@ class LogoutView(RedirectURLMixin, TemplateView): template_name = "registration/logged_out.html" extra_context = None - @method_decorator(csrf_protect) - @method_decorator(never_cache) - def dispatch(self, request, *args, **kwargs): - return super().dispatch(request, *args, **kwargs) - def post(self, request, *args, **kwargs): """Logout may be done via POST.""" auth_logout(request) @@ -211,7 +207,7 @@ class PasswordContextMixin: return context -@method_decorator(login_not_required, name="dispatch") +@method_decorator([login_not_required, csrf_protect], name="dispatch") class PasswordResetView(PasswordContextMixin, FormView): email_template_name = "registration/password_reset_email.html" extra_email_context = None @@ -224,10 +220,6 @@ class PasswordResetView(PasswordContextMixin, FormView): title = _("Password reset") token_generator = default_token_generator - @method_decorator(csrf_protect) - def dispatch(self, *args, **kwargs): - return super().dispatch(*args, **kwargs) - def form_valid(self, form): opts = { "use_https": self.request.is_secure(), @@ -252,7 +244,9 @@ class PasswordResetDoneView(PasswordContextMixin, TemplateView): title = _("Password reset sent") -@method_decorator(login_not_required, name="dispatch") +@method_decorator( + [login_not_required, sensitive_post_parameters(), never_cache], name="dispatch" +) class PasswordResetConfirmView(PasswordContextMixin, FormView): form_class = SetPasswordForm post_reset_login = False @@ -263,8 +257,6 @@ class PasswordResetConfirmView(PasswordContextMixin, FormView): title = _("Enter new password") token_generator = default_token_generator - @method_decorator(sensitive_post_parameters()) - @method_decorator(never_cache) def dispatch(self, *args, **kwargs): if "uidb64" not in kwargs or "token" not in kwargs: raise ImproperlyConfigured( @@ -350,18 +342,15 @@ class PasswordResetCompleteView(PasswordContextMixin, TemplateView): return context +@method_decorator( + [sensitive_post_parameters(), csrf_protect, login_required], name="dispatch" +) class PasswordChangeView(PasswordContextMixin, FormView): form_class = PasswordChangeForm success_url = reverse_lazy("password_change_done") template_name = "registration/password_change_form.html" title = _("Password change") - @method_decorator(sensitive_post_parameters()) - @method_decorator(csrf_protect) - @method_decorator(login_required) - def dispatch(self, *args, **kwargs): - return super().dispatch(*args, **kwargs) - def get_form_kwargs(self): kwargs = super().get_form_kwargs() kwargs["user"] = self.request.user @@ -375,10 +364,7 @@ class PasswordChangeView(PasswordContextMixin, FormView): return super().form_valid(form) +@method_decorator(login_required, name="dispatch") class PasswordChangeDoneView(PasswordContextMixin, TemplateView): template_name = "registration/password_change_done.html" title = _("Password change successful") - - @method_decorator(login_required) - def dispatch(self, *args, **kwargs): - return super().dispatch(*args, **kwargs)