From e7dc39fb65e51d7613c941f7e5768b621dea4e76 Mon Sep 17 00:00:00 2001 From: Mikhail Golubev Date: Mon, 22 May 2017 14:52:56 -0700 Subject: [PATCH] Fixed #28229 -- Fixed the value of LoginView's "next" template variable. --- django/contrib/auth/views.py | 12 +++++++----- docs/releases/1.11.3.txt | 5 +++++ tests/auth_tests/test_views.py | 1 + 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py index 24c406bdc9..fd756e33f2 100644 --- a/django/contrib/auth/views.py +++ b/django/contrib/auth/views.py @@ -65,7 +65,11 @@ class LoginView(SuccessURLAllowedHostsMixin, FormView): return super().dispatch(request, *args, **kwargs) def get_success_url(self): - """Ensure the user-originating redirection URL is safe.""" + url = self.get_redirect_url() + return url or resolve_url(settings.LOGIN_REDIRECT_URL) + + def get_redirect_url(self): + """Return the user-originating redirect URL if it's safe.""" redirect_to = self.request.POST.get( self.redirect_field_name, self.request.GET.get(self.redirect_field_name, '') @@ -75,9 +79,7 @@ class LoginView(SuccessURLAllowedHostsMixin, FormView): allowed_hosts=self.get_success_url_allowed_hosts(), require_https=self.request.is_secure(), ) - if not url_is_safe: - return resolve_url(settings.LOGIN_REDIRECT_URL) - return redirect_to + return redirect_to if url_is_safe else '' def get_form_class(self): return self.authentication_form or self.form_class @@ -96,7 +98,7 @@ class LoginView(SuccessURLAllowedHostsMixin, FormView): context = super().get_context_data(**kwargs) current_site = get_current_site(self.request) context.update({ - self.redirect_field_name: self.get_success_url(), + self.redirect_field_name: self.get_redirect_url(), 'site': current_site, 'site_name': current_site.name, }) diff --git a/docs/releases/1.11.3.txt b/docs/releases/1.11.3.txt index 6afe77e8bb..5ff33e42e6 100644 --- a/docs/releases/1.11.3.txt +++ b/docs/releases/1.11.3.txt @@ -35,3 +35,8 @@ Bugfixes * Prevented ``Paginator``’s unordered object list warning from evaluating a ``QuerySet`` (:ticket:`28284`). + +* Fixed the value of ``redirect_field_name`` in ``LoginView``’s template + context. It's now an empty string (as it is for the original function-based + ``login()`` view) if the corresponding parameter isn't sent in a request (in + particular, when the login page is accessed directly) (:ticket:`28229`). diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py index 7dbf74928d..354eea7899 100644 --- a/tests/auth_tests/test_views.py +++ b/tests/auth_tests/test_views.py @@ -835,6 +835,7 @@ class LoginRedirectAuthenticatedUser(AuthViewsTestCase): self.login() response = self.client.get(self.dont_redirect_url) self.assertEqual(response.status_code, 200) + self.assertEqual(response.context['next'], '') def test_guest(self): """If not logged in, stay on the same page."""