#35288: login_required / user_passes_test redirects back to POST-only view
--------------------------------------------+------------------------
Reporter: Patrick Rauscher | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 5.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------------+------------------------
Assume an application with session timeout and a login restricted area. In
this area there is a form, POSTing its content to a view which has
`@require_http_methods(["POST"])` as a security percaution.
A valid user visits the site with the form, stays there long enough for
the session to time out and submits the form. Django will check if the
user is logged in, which leads to `user_passes_test` evaluating to false
and redirecting the user back to login while setting the next-url-
parameter to the submit-view. After login, the user is redirected to the
view which returns error 405 due to `@require_http_methods(["POST"])`.
I'm quite sure this is a bug, as 405 would not be the error he
anticipates, but I'm not too sure about a possible fix. One solution would
be to check in `user_passes_test` if we have a POST/PUT/...-Request and
try to use Referer in that case?
--
Ticket URL: <https://code.djangoproject.com/ticket/35288>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018e2d475163-9f04f066-d1ff-4b31-a711-a7630ce7451c-000000%40eu-central-1.amazonses.com.
