The "next" variable is set in the login page, even when accessed directly

[Shrikant Sharat]

In the default authentication system, when a user tries to access a protected page without logging in, he/she gets redirected to the login page. When this happens, the next template variable is set to the URL of the protected page. This is working fine.

However, when the user directly opens up the login page, for example by entering the URL in the address bar, the next template variable should not be set. But it is set to settings.LOGIN_REDIRECT_URL (or it's default value), which is unexpected.

Because of this, if we are using the template for login.html as given in the ​documentation, we see the Please login to see this page. message even when the user opens the login page directly.

I tried to debug to find where the problem is, and found it in django.contrib.auth.views.LoginView class. This class has a method get_success_url which gets the redirect url either from the next parameter or from the LOGIN_REDIRECT_URL. This method is being also used to populate the context for the login form in the method get_context_data, which, in my opinion is incorrect. The dispatch method also uses the get_success_url to get the redirect url, which is correct because the purpose there is to actually redirect.

[Marten Kenbeek]

This behaviour changed in 78963495d0caadb77eb97ccf319ef0ba3b204fb5. It used to be the empty string if no next parameter was passed through GET or POST, and it was only resolved to LOGIN_REDIRECT_URL when the user had to be redirected, after the login.

[Tim Graham]

​PR

[Tim Graham <timograham@…>]

In e7dc39fb:

Fixed #28229 -- Fixed the value of LoginView's "next" template variable.

[Tim Graham <timograham@…>]

In 16431b0:

[1.11.x] Fixed #28229 -- Fixed the value of LoginView's "next" template variable.

Backport of e7dc39fb65e51d7613c941f7e5768b621dea4e76 from master