Is there any reason why getting the redirect_to path in
django.contrib.auth.views.login()
"""
Displays the login form and handles the login action.
"""
redirect_to = request.REQUEST.get(redirect_field_name, '')
happens before we actually call the auth_login(request,
form.get_user())
The auth.login is what fires the user_logged_in signal anyway and its
handler have access to modify every bit of the request. However the
redirect_to URL was already read by then and the end of the view we
have
return HttpResponseRedirect(redirect_to)
Does it make sense to reread the redirect_to after we do the security
checks instead of before
So this:
# Use default setting if redirect_to is empty
if not redirect_to:
redirect_to = settings.LOGIN_REDIRECT_URL
# Heavier security check -- don't allow redirection to a
different
# host.
elif netloc and netloc != request.get_host():
redirect_to = settings.LOGIN_REDIRECT_URL
# Okay, security checks complete. Log the user in.
auth_login(request, form.get_user())
Becomes this
# Okay, security checks complete. Log the user in.
auth_login(request, form.get_user())
# Use default setting if redirect_to is empty
if not redirect_to:
redirect_to = settings.LOGIN_REDIRECT_URL
# Heavier security check -- don't allow redirection to a
different
# host.
elif netloc and netloc != request.get_host():
redirect_to = settings.LOGIN_REDIRECT_URL
This way if we decide to change the redirect_to for that request it
will be picked by login view.
Is there any security implications for doing this?
Meitham
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
