Opened 7 years ago
Last modified 7 years ago
#28779 new Cleanup/optimization
Customizing REDIRECT_FIELD_NAME is cumbersome
Reported by: | Meiyer | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 1.11 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When a custom REDIRECT_FIELD_NAME
is defined (for example, for the LoginView
in urls.py), the two views PasswordChangeView
and PasswordChangeDoneView
will still use the built-in name next
. This is due to the decorator django.contrib.auth.decorators.login_required
which uses the name from django.contrib.auth.REDIRECT_FIELD_NAME
and is not customizable.
Change History (4)
comment:1 by , 7 years ago
Component: | Core (URLs) → contrib.auth |
---|---|
Type: | Bug → Cleanup/optimization |
comment:2 by , 7 years ago
Currently, in order to make Django (by itself, without 3rd-party apps!) work as expected with a customized REDIRECT_FIELD_NAME
, one has to:
- subclass
LoginView
(or provide a value inurls.py
viaLoginView.as_view()
) - subclass
LogoutView
(or provide a value inurls.py
viaLogoutView.as_view()
) - subclass
LoginRequiredMixin
- subclass
PermissionRequiredMixin
- subclass
UserPassesTestMixin
- subclass any view that uses the
login_required
decorator, that is,PasswordChangeView
,PasswordChangeDoneView
- if a custom view uses the decorator, one has to remember to modify it as well
- subclass any view that uses the
user_passes_test
decorator (currently only in Admin)- if a custom view uses the decorator, one has to remember to modify it as well
- build own special treatment of redirection for flat pages that require registration (no subclassing is possible)
This does not make sense.
comment:3 by , 7 years ago
Summary: | PasswordChangeView and PasswordChangeDoneView do not use a custom REDIRECT_FIELD_NAME → Customizing REDIRECT_FIELD_NAME is cumbersome |
---|---|
Triage Stage: | Unreviewed → Accepted |
Perhaps it's worth making a proposal on the DevelopersMailingList. It would be interesting to research if this feature is used to solve a different use case or if it's mostly unused such that this issue hasn't come up before.
comment:4 by , 7 years ago
Here is a monkey patch i am using.
In the apps.py ready method.
def ready(self): from django.conf import settings from django.contrib import auth auth.REDIRECT_FIELD_NAME = settings.REDIRECT_FIELD_NAME
I think its good for the security to allow this customization. It's always good to make identification of the framework running website harder.
As far as I see, the problem isn't specific to the password change views. If you customize
LoginView.redirect_field_name
, then you need to update all views decorated withlogin_required()
to use@login_required(redirect_field_name='...')
. The problem is that you can't make this change in views in third-party apps. For that reason, I wonder if it would have been better to makeREDIRECT_FIELD_NAME
customization use a setting (as originally proposed in #5394) rather than an argument.