开发者

Django process_view middleware resulting in 403 forbidden

I've written a small bit of middleware that catches if a user is using a temporary password and, if so, redirects them to a page th开发者_开发问答at forces them to create a new password. My problem is that the page works fine when the user is logged in and NOT using a temp password (i.e. they go to the change password URL manually), but when they ARE using a temp password the redirect from the middleware yields a 403 Forbidden page.

The middleware does one other thing in process_view after the temp password check, but this is the relevant code:

class MyMiddleware( object ):
  def process_view( self, request, view_func, view_args, view_kwargs ):
    if request.user.is_authenticated( ): 
      try:
        if request.user.get_profile( ).using_temp:
          return HttpResponseRedirect( reverse( 'change_password' ) )
        except Object.DoesNotExist:
          pass
        # Not using temp password, let the request process
        return None

Note that rendering the template directly could be used, with something like render_to_response, to fix the problem but that will cause the browser's URL to not follow as well as it not being able to really exit the page it renders.


First, I think your indenting is off in the example, but how about the following as a solution to detect when the current path is the change_password URL? This should get rid of that infinite redirect you have going on.

class MyMiddleware( object ):
  def process_view( self, request, view_func, view_args, view_kwargs ):
    if request.user.is_authenticated( ): 
      try:
        if request.user.get_profile( ).using_temp and request.path != reverse('change_password'):
          return HttpResponseRedirect( reverse( 'change_password' ) )
      except Object.DoesNotExist:
          pass
   # Not using temp password, let the request process
   return None


Which version of django are you using ?

If your are using the latest beta, setting the logging may be helpful

http://docs.djangoproject.com/en/dev/topics/logging/


Django Debug Toolbar might be helpful here. It can trap redirects and show you where it's redirecting before actually going there. This helps run down broken redirects.

That said, I'd recommend using a different "change password" page for users with temporary passwords, so it can handle permissions checking differently. The page you have might have a @login_required decorator, and a temporary password might not be considered "really" logged in.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜