mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-05-05 06:27:31 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #18923 -- Corrected usage of sensitive_post_parameters in contrib.auth

Browse Source 
Thanks Collin Anderson for the report.

Backport of 425d076d0c from master
This commit is contained in:
Tim Graham 2013-08-02 14:46:17 -04:00
parent cca302cde6
commit 75d2bcda10
2 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
django/contrib/auth/admin.py
View File

@ -17,6 +17,8 @@ from django.views.decorators.csrf import csrf_protect
from django.views.decorators.debug import sensitive_post_parameters from django.views.decorators.debug import sensitive_post_parameters
csrf_protect_m = method_decorator(csrf_protect) csrf_protect_m = method_decorator(csrf_protect)
sensitive_post_parameters_m = method_decorator(sensitive_post_parameters())
class GroupAdmin(admin.ModelAdmin): class GroupAdmin(admin.ModelAdmin):
search_fields = ('name',) search_fields = ('name',)
@ -83,7 +85,7 @@ class UserAdmin(admin.ModelAdmin):
self.admin_site.admin_view(self.user_change_password)) self.admin_site.admin_view(self.user_change_password))
) + super(UserAdmin, self).get_urls() ) + super(UserAdmin, self).get_urls()
@sensitive_post_parameters() @sensitive_post_parameters_m
@csrf_protect_m @csrf_protect_m
@transaction.commit_on_success @transaction.commit_on_success
def add_view(self, request, form_url='', extra_context=None): def add_view(self, request, form_url='', extra_context=None):
@ -113,7 +115,7 @@ class UserAdmin(admin.ModelAdmin):
return super(UserAdmin, self).add_view(request, form_url, return super(UserAdmin, self).add_view(request, form_url,
extra_context) extra_context)
@sensitive_post_parameters() @sensitive_post_parameters_m
def user_change_password(self, request, id, form_url=''): def user_change_password(self, request, id, form_url=''):
if not self.has_change_permission(request): if not self.has_change_permission(request):
raise PermissionDenied raise PermissionDenied
@ -170,4 +172,3 @@ class UserAdmin(admin.ModelAdmin):
admin.site.register(Group, GroupAdmin) admin.site.register(Group, GroupAdmin)
admin.site.register(User, UserAdmin) admin.site.register(User, UserAdmin)

6
django/views/decorators/debug.py
View File

@ -1,5 +1,7 @@
import functools import functools
from django.http import HttpRequest
def sensitive_variables(*variables): def sensitive_variables(*variables):
""" """
@ -62,6 +64,10 @@ def sensitive_post_parameters(*parameters):
def decorator(view): def decorator(view):
@functools.wraps(view) @functools.wraps(view)
def sensitive_post_parameters_wrapper(request, *args, **kwargs): def sensitive_post_parameters_wrapper(request, *args, **kwargs):
assert isinstance(request, HttpRequest), (
"sensitive_post_parameters didn't receive an HttpRequest. If you "
"are decorating a classmethod, be sure to use @method_decorator."
)
if parameters: if parameters:
request.sensitive_post_parameters = parameters request.sensitive_post_parameters = parameters
else: else: