Django: information leakage problem when using @login_required and setting LOGIN_URL

Question

I found a form of information leakage when using the @login_required decorator and setting the LOGIN_URL variable.

I have a site that requires a mandatory login for all content. The problem is that you get redirected to the login page with the next variable set when it's a existing page.

So when not logged in and asking for:

 http://localhost:8000/validurl/

You see this:

 http://localhost:8000/login/?next=/validurl/

And when requesting an non existing page:

 http://localhost:8000/faultyurl/

You see this:

 http://localhost:8000/login/

Which reveals some information that I dont want. I thought of overriding the login method, forcing the next to empty and calling 'super' on this subclassed method.

An additional problem is that some of my tests fail without the LOGIN_URL set. they redirect to '/accounts/login/' instead of '/login/'. Hence why I'd like to use the LOGIN_URL but disable the 'auto next' feature.

Anybody that can shed some light on the subject?

Thanx a lot.

Gerard.

Answer 1

You can include this line as the last pattern in your urls.py file. It will re-route urls that do not match any other pattern to the login page.

urlpatterns = patterns('',

    ...

    (r'^(?P<path>.+)$', 'django.views.generic.simple.redirect_to', {
        'url': '/login/?next=/%(path)s', 
        'permanent': False
    }),
)

EDIT: To keep raising 404 pages to authenticated users, do the following:

from django.http import Http404, HttpResponseRedirect
def fake_redirect(request, path):
    if request.user.is_authenticated:
        raise Http404()
    else:
        return HttpResponseRedirect('/login/?next=/%s' % path)

urlpatterns = patterns('',

    ...

    (r'^(?P<path>.+)$', fake_redirect),
)