Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 75d2bcd

Browse files
timgrahamtimgraham
committed
Fixed #18923 -- Corrected usage of sensitive_post_parameters in contrib.auth
Thanks Collin Anderson for the report. Backport of 425d076 from master
1 parent cca302c commit 75d2bcd

File tree

2 files changed

+10
-3
lines changed

2 files changed

+10
-3
lines changed

django/contrib/auth/admin.py

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,8 @@
1717
from django.views.decorators.debug import sensitive_post_parameters
1818

1919
csrf_protect_m = method_decorator(csrf_protect)
20+
sensitive_post_parameters_m = method_decorator(sensitive_post_parameters())
21+
2022

2123
class GroupAdmin(admin.ModelAdmin):
2224
search_fields = ('name',)
@@ -83,7 +85,7 @@ def get_urls(self):
8385
self.admin_site.admin_view(self.user_change_password))
8486
) + super(UserAdmin, self).get_urls()
8587

86-
@sensitive_post_parameters()
88+
@sensitive_post_parameters_m
8789
@csrf_protect_m
8890
@transaction.commit_on_success
8991
def add_view(self, request, form_url='', extra_context=None):
@@ -113,7 +115,7 @@ def add_view(self, request, form_url='', extra_context=None):
113115
return super(UserAdmin, self).add_view(request, form_url,
114116
extra_context)
115117

116-
@sensitive_post_parameters()
118+
@sensitive_post_parameters_m
117119
def user_change_password(self, request, id, form_url=''):
118120
if not self.has_change_permission(request):
119121
raise PermissionDenied
@@ -170,4 +172,3 @@ def response_add(self, request, obj, post_url_continue='../%s/'):
170172

171173
admin.site.register(Group, GroupAdmin)
172174
admin.site.register(User, UserAdmin)
173-

django/views/decorators/debug.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
import functools
22

3+
from django.http import HttpRequest
4+
35

46
def sensitive_variables(*variables):
57
"""
@@ -62,6 +64,10 @@ def my_view(request)
6264
def decorator(view):
6365
@functools.wraps(view)
6466
def sensitive_post_parameters_wrapper(request, *args, **kwargs):
67+
assert isinstance(request, HttpRequest), (
68+
"sensitive_post_parameters didn't receive an HttpRequest. If you "
69+
"are decorating a classmethod, be sure to use @method_decorator."
70+
)
6571
if parameters:
6672
request.sensitive_post_parameters = parameters
6773
else:

0 commit comments

Comments
 (0)