"next" param ignored in some cases #214

Novarg · 2017-06-05T16:07:51Z

When "next" param presents in both GET and POST dicts those from GET will be ignored even if value of POST is empty string.

core.py:112 (in LoginView)

        redirect_to = self.request.POST.get(
            self.redirect_field_name,
            self.request.GET.get(self.redirect_field_name, '')
        )

I think above code should be with OR logic for cases when post param exist but empty (imagine you redirect user from some page on login form like example.com/accounts/login?next=/restricted/area and login form has hidden but empty "next" field).

redirect_to = self.request.POST.get(self.redirect_field_name, '') or \
                      self.request.GET.get(self.redirect_field_name, '')

The text was updated successfully, but these errors were encountered:

Bouke · 2017-06-05T18:29:15Z

Not sure I understand the issue here. Why would the login form's next field be empty in this case? Shouldn't it have populated from the GET parameter in this case?

Novarg · 2017-06-06T08:35:09Z

It not populated by LoginView of this package (on initial step if you have "next" in url, you will have empty hidden input in login form which will override value from GET on form submit).

Django builtin view return redirect_field_name in context each time to populate such template:

<input type="hidden" name="next" value="{{ next }}" />

And context from django login view:

context = {
        'form': form,
        redirect_field_name: redirect_to,
        'site': current_site,
        'site_name': current_site.name,
    }

May be even better to return redirect_field_name: redirect_to in context the same way django doing in each step so redirect field can be populated properly and disregard that "or" logic from above.

Bouke · 2017-07-21T19:40:18Z

I'm still not sure why the next parameter in the URL would be empty? Wouldn't that be the underlying problem causing this issue?

ghost · 2018-07-27T09:51:43Z

I just ran into the same issue, when I replaced Django's login view with the two-factor LoginView. The difference between the two is that Django's LoginView.get_context_data() adds next (or, more precisely, self.redirect_field_name) to the context, but the two-factor LoginView doesn't. Therefore,

<input type="hidden" name="next" value="{{ next }}" />

is rendered as

<input type="hidden" name="next" value="" />

which causes the problem with the empty next in request.POST.

I have fixed this by sub-classing the two-factor LoginView and adding the missing next to the context. Alternatively, one could simply remove the above hidden input, so that the next query parameter from request.GET is used.

Anyway, I think the two-factor LoginView should add self.redirect_field_name to the context as Django's LoginView does.

It resolves jazzband#214 Based on https://github.com/django/django/blob/f4e93919e4608cfc50849a1f764fd856e0917401/django/contrib/auth/views.py#L99

Bouke added the bug label Jul 21, 2017

Bouke removed the enhancement label Feb 22, 2018

merito mentioned this issue Jul 27, 2020

Add redirect_field_name to LoginView context to fix "next" #369

Closed

8 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

"next" param ignored in some cases #214

"next" param ignored in some cases #214

Novarg commented Jun 5, 2017 •

edited

Loading

Bouke commented Jun 5, 2017

Novarg commented Jun 6, 2017 •

edited

Loading

Bouke commented Jul 21, 2017

ghost commented Jul 27, 2018

"next" param ignored in some cases #214

"next" param ignored in some cases #214

Comments

Novarg commented Jun 5, 2017 • edited Loading

Bouke commented Jun 5, 2017

Novarg commented Jun 6, 2017 • edited Loading

Bouke commented Jul 21, 2017

ghost commented Jul 27, 2018

Novarg commented Jun 5, 2017 •

edited

Loading

Novarg commented Jun 6, 2017 •

edited

Loading