#21911: Admin login can cause data loss
-------------------------------+--------------------
Reporter: pennersr | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 1.4
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
Prerequisites: plain Django project with admin enabled, no CSRF middleware
To reproduce:
1. Open up a browser, make sure you are not logged in
2. Open up two tabs, both visiting: /admin/sites/site/add/
3. You should be presented with a login form in both tabs.
4. Login in tab 1).
5. Switch to tab 2), also login.
Expected result:
6. You end up at /admin/sites/site/add/ via a GET request
Actual result:
6. the login as part of login at 2) fires its POST data at the
/admin/sites/site/add/ view,
(proven by the fact that you will see validation errors)
Now, while in this case the actual result may seem rather harmless, we
have had an incident where somebody unknowingly destroyed precious data by
doing this. This may happen if the URL belongs to an update URL, and, the
form happens to be considered valid (e.g. if no fields are required you
will essentially blank out the model you are updating).
Why doesn't the staff_member_required decorator use redirects to redirect
to separate login view, with next=/admin/sites/add ?
--
Ticket URL: <https://code.djangoproject.com/ticket/21911>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/051.1ec6ad32b165690028e89232a6042f71%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.
