Possible Django Admin or auth bug or Mozilla bug
76 views
Skip to first unread message
Mike Dewhirst
Apr 13, 2022, 3:01:35 AM4/13/22
to Django users
I don't know how long this has been happening for me.
Happens on Windows 10 in Mozilla Firefox but not Chrome.
In the Admin User screen where there are two boxes of Groups labelled
'Available groups' and 'Chosen groups' with controls to move groups
between boxes, everything seems to work perfectly - until I refresh the
screen!
On refresh, the Chosen groups box seems to slide across to the left and
drop all its groups into the Available box! It quickly resumes its usual
place on the right except that it is completely empty.
Shift refresh retrieves the data from the database and everything is OK.
The problem is that if an admin user accidentally saves after a refresh,
they save that profile with no permissions and that user loses all
access to their data.
I have tested identically on four different Django projects I look after
with the same results. Django versions 3.2.12 and 3.2.13 running on
Apache 2.4 on Ubuntu 20.04 and localhost on Windows 10 with the dev
server. Also happens on Ubuntu 18.04 with nginx and running Mezzanine.
Any ideas? Debug strategy?
Not sure where to start.
Seems like a Mozilla issue but I have been known to get things wrong.
Has anyone seen this?
Thanks
Mike
--
Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Just
ask and I'll send it to you. Your email software can handle signing.
Happens on Windows 10 in Mozilla Firefox but not Chrome.
In the Admin User screen where there are two boxes of Groups labelled
'Available groups' and 'Chosen groups' with controls to move groups
between boxes, everything seems to work perfectly - until I refresh the
screen!
On refresh, the Chosen groups box seems to slide across to the left and
drop all its groups into the Available box! It quickly resumes its usual
place on the right except that it is completely empty.
Shift refresh retrieves the data from the database and everything is OK.
The problem is that if an admin user accidentally saves after a refresh,
they save that profile with no permissions and that user loses all
access to their data.
I have tested identically on four different Django projects I look after
with the same results. Django versions 3.2.12 and 3.2.13 running on
Apache 2.4 on Ubuntu 20.04 and localhost on Windows 10 with the dev
server. Also happens on Ubuntu 18.04 with nginx and running Mezzanine.
Any ideas? Debug strategy?
Not sure where to start.
Seems like a Mozilla issue but I have been known to get things wrong.
Has anyone seen this?
Thanks
Mike
--
Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Just
ask and I'll send it to you. Your email software can handle signing.
Antonis Christofides
Apr 13, 2022, 9:20:45 AM4/13/22
to django...@googlegroups.com
It happens here as well as far as I can see (tested on a Debian 11 server running Django 3.2.12).
The "Chosen groups" box seems to be created by JavaScript; if I run it with JavaScript disabled then it doesn't exist. Apparently JavaScript creates the box and then populates it and accordingly removes stuff from "Available groups". Therefore it could be an error in Django; maybe for some reason that JavaScript doesn't always run correctly on Firefox.
If I were you I'd file a Django bug anyway.
Regards,
Antonis
Mike Dewhirst
Apr 13, 2022, 9:37:45 PM4/13/22
to django...@googlegroups.com, Antonis Christofides
Thanks Antonis
OK - the problem has two workarounds. One is to use Chrome.
Two is https://code.djangoproject.com/ticket/33386 which suggests including some javascript to disable Firefox autocomplete ...
... but this looks a bit like a sledgehammer. What might that do to other browsers?
I guess I'll give that a try and see what happens.
Cheers
Mike
OK - the problem has two workarounds. One is to use Chrome.
Two is https://code.djangoproject.com/ticket/33386 which suggests including some javascript to disable Firefox autocomplete ...
$('form').attr('autocomplete', 'off').each(function () {
this.reset();
});
... but this looks a bit like a sledgehammer. What might that do to other browsers?
I guess I'll give that a try and see what happens.
Cheers
Mike
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/92661660-a500-f625-ac9a-d1404f99cb3d%40antonischristofides.com.
Mike Dewhirst
Apr 13, 2022, 11:38:30 PM4/13/22
to django...@googlegroups.com, Antonis Christofides
On 14/04/2022 11:36 am, Mike Dewhirst
wrote:
Thanks Antonis
OK - the problem has two workarounds. One is to use Chrome.
Two is https://code.djangoproject.com/ticket/33386 which suggests including some javascript to disable Firefox autocomplete ...
$('form').attr('autocomplete', 'off').each(function () { this.reset(); });
Can anyone verify that the above javascript will work?
And I cannot because I don't know how to javascript. This is what I tried ...
<project>/static/admin/js/autocomplete_off.js
And I cannot because I don't know how to javascript. This is what I tried ...
<project>/static/admin/js/autocomplete_off.js
$('form').attr('autocomplete', 'off').each(function () {
this.reset();
});
<project>/templates/admin/auth/group/change_form.html
{% extends "admin/change_form.html" %}
{% load i18n admin_urls static admin_modify %}
{% block extrastyle %}{{ block.super }}
<script src="/static/admin/js/autocomplete_off.js"></script>
{% endblock %}
Thanks
Mike
{% extends "admin/change_form.html" %}
{% load i18n admin_urls static admin_modify %}
{% block extrastyle %}{{ block.super }}
<script src="/static/admin/js/autocomplete_off.js"></script>
{% endblock %}
Thanks
Mike
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/9eebd918-dbef-dbcd-94fd-ea841b7f6969%40dewhirst.com.au.
Antonis Christofides
Apr 14, 2022, 11:27:29 AM4/14/22
to django-users
I haven't tried it, but I have a few observations on your
template code. First, it would be better to use "{% static %}"
instead of hardcoding the url to the static files. Second, "{%
blcok extrastyle %}" is obviously wrong for this, it should be
extrajs. However, neither of these should affect what you are
trying to accomplish (except if extrastyle comes earlier than
extrajs).
Mike Dewhirst
Apr 14, 2022, 8:22:35 PM4/14/22
to django...@googlegroups.com
Antonis
Right. I got the <script> tag to appear in the right place but I think the js itself is not being effective.
I guess since there is an existing bug report I'll just have live with it until magic happens.
Thanks for jumping in.
Cheers
Mike
--
(Unsigned mail from my phone)
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/f35a03da-4519-587d-3d89-54776bce780f%40antonischristofides.com.
Reply all
Reply to author
Forward
0 new messages