Add a safeguard to debug decorators (sensitive_variables/sensitive_post_parameters) to prevent incorrect usage.

[Baptiste Mispelon]

While trying to reproduce ticket:26480#comment:5, I noticed that Django happily lets you write this kind of code:

@sensitive_variables # incorrect usage, should be @sensitive_variables()
def is_password_ok(password):
    return len(password) > 8

It's very easy to miss that you forgot the (). Most of the time it's not really dangerous because the decorated function will be unusable but in this case, the consequences are pretty nasty:

>>> bool(is_password_ok('asdf'))
True  # you would expect False because len('asdf') < 8

I propose adding some code to both sensitive_variables() and sensitive_post_parameters() that catches this misuse to prevent users from decorating their functions incorrectly.
Because both decorators take either no arguments or only string arguments, it's not too hard to detect the error with something like this:

def sensitive_variables(*variables):
    if len(variables) == 1 and callable(variables[0]):
        raise TypeError(...)
    # ...

This should be fully backwards compatible and in most cases it will raise the error at import time which should make things easier to fix for those who've incorrectly used the decorator.

(I've confirmed with the security team that this does not need to be treated as a security issue)

[Baptiste Mispelon]

​PR here

I've included tests but no release notes. Does this need any?

[Mariusz Felisiak]

Release notes are not required.

[Mariusz Felisiak <felisiak.mariusz@…>]

In d8e23335:

Fixed #31077 -- Made debug decorators raise TypeError if they're not called.

Django will raise an error if you forget to call the decorator.