[Django] #35288: login_required / user_passes_test redirects back to POST-only view
6 views
Skip to first unread message
Django
Mar 11, 2024, 7:30:37 AM3/11/24
to django-...@googlegroups.com
#35288: login_required / user_passes_test redirects back to POST-only view
--------------------------------------------+------------------------
Reporter: Patrick Rauscher | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 5.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------------+------------------------
Assume an application with session timeout and a login restricted area. In
this area there is a form, POSTing its content to a view which has
`@require_http_methods(["POST"])` as a security percaution.
A valid user visits the site with the form, stays there long enough for
the session to time out and submits the form. Django will check if the
user is logged in, which leads to `user_passes_test` evaluating to false
and redirecting the user back to login while setting the next-url-
parameter to the submit-view. After login, the user is redirected to the
view which returns error 405 due to `@require_http_methods(["POST"])`.
I'm quite sure this is a bug, as 405 would not be the error he
anticipates, but I'm not too sure about a possible fix. One solution would
be to check in `user_passes_test` if we have a POST/PUT/...-Request and
try to use Referer in that case?
--
Ticket URL: <https://code.djangoproject.com/ticket/35288>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--------------------------------------------+------------------------
Reporter: Patrick Rauscher | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 5.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------------+------------------------
Assume an application with session timeout and a login restricted area. In
this area there is a form, POSTing its content to a view which has
`@require_http_methods(["POST"])` as a security percaution.
A valid user visits the site with the form, stays there long enough for
the session to time out and submits the form. Django will check if the
user is logged in, which leads to `user_passes_test` evaluating to false
and redirecting the user back to login while setting the next-url-
parameter to the submit-view. After login, the user is redirected to the
view which returns error 405 due to `@require_http_methods(["POST"])`.
I'm quite sure this is a bug, as 405 would not be the error he
anticipates, but I'm not too sure about a possible fix. One solution would
be to check in `user_passes_test` if we have a POST/PUT/...-Request and
try to use Referer in that case?
--
Ticket URL: <https://code.djangoproject.com/ticket/35288>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Mar 11, 2024, 9:17:23 AM3/11/24
to django-...@googlegroups.com
#35288: login_required / user_passes_test redirects back to POST-only view
----------------------------------+--------------------------------------
Reporter: Patrick Rauscher | Owner: nobody
Type: New feature | Status: closed
Component: contrib.auth | Version: 5.0
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
----------------------------------+--------------------------------------
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Natalia Bidart):
* resolution: => wontfix
* status: new => closed
* type: Bug => New feature
Comment:
Hello Patrick, thanks for your report and for helping making Django
better.
I do understand your issue though it seems a bit of a niche problem to me.
I believe you could fix this by providing a custom view for the
`login_url` param of the `user_passes_test` method that would redirect the
user to whatever view is more appropriate than the POST-only view,
particularly a view that could handle GET requests and provide a way of
refreshing the session and taking the user to a suitable page to redo the
POST. Also, your POST-only view could be tweaked so GET requests are
allowed only when coming from a login operation, and the view itself could
raise 405 for every other situation.
In summary, I don't think this is a bug in Django, and I don't think the
outlined issue applies to the broader ecosystem. Django is a framework
designed to offer robust and accurate solutions for common scenarios, so
I'll close the ticket accordingly, but if you disagree, you can consider
starting a new conversation on the
[https://forum.djangoproject.com/c/internals/5 Django Forum], where you'll
reach a wider audience and likely get extra feedback. More information in
[https://docs.djangoproject.com/en/stable/internals/contributing/bugs-and-
features/#requesting-features the documented guidelines for requesting
features].
--
Ticket URL: <https://code.djangoproject.com/ticket/35288#comment:1>
Reply all
Reply to author
Forward
0 new messages