#35288: login_required / user_passes_test redirects back to POST-only view --------------------------------------------+------------------------ Reporter: Patrick Rauscher | Owner: nobody Type: Bug | Status: new Component: contrib.auth | Version: 5.0 Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | --------------------------------------------+------------------------ Assume an application with session timeout and a login restricted area. In this area there is a form, POSTing its content to a view which has `@require_http_methods(["POST"])` as a security percaution.
A valid user visits the site with the form, stays there long enough for the session to time out and submits the form. Django will check if the user is logged in, which leads to `user_passes_test` evaluating to false and redirecting the user back to login while setting the next-url- parameter to the submit-view. After login, the user is redirected to the view which returns error 405 due to `@require_http_methods(["POST"])`. I'm quite sure this is a bug, as 405 would not be the error he anticipates, but I'm not too sure about a possible fix. One solution would be to check in `user_passes_test` if we have a POST/PUT/...-Request and try to use Referer in that case? -- Ticket URL: <https://code.djangoproject.com/ticket/35288> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/0107018e2d475163-9f04f066-d1ff-4b31-a711-a7630ce7451c-000000%40eu-central-1.amazonses.com.