Fixed django#15198 -- pass request to AuthenticationForm

Thanks to Ciantic for the report, claudep and slurms for initial work

Author: ptone

django/contrib/auth/forms.py

@@ -160,10 +160,8 @@ class AuthenticationForm(forms.Form):
 
  def __init__(self, request=None, *args, **kwargs):
  """
- If request is passed in, the form will validate that cookies are
- enabled. Note that the request (a HttpRequest object) must have set a
- cookie with the key TEST_COOKIE_NAME and value TEST_COOKIE_VALUE before
- running this validation.
+ The 'request' parameter is set for custom auth use by subclasses.
+ The form data comes in via the standard 'data' kwarg.
  """
  self.request = request
  self.user_cache = None

django/contrib/auth/tests/urls.py

@@ -1,14 +1,20 @@
 from django.conf.urls import patterns, url
 from django.contrib.auth import context_processors
+from django.contrib.auth.forms import AuthenticationForm
 from django.contrib.auth.urls import urlpatterns
-from django.contrib.auth.views import password_reset
+from django.contrib.auth.views import password_reset, login
 from django.contrib.auth.decorators import login_required
 from django.contrib.messages.api import info
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpRequest
 from django.shortcuts import render_to_response
 from django.template import Template, RequestContext
 from django.views.decorators.cache import never_cache
 
+class CustomRequestAuthenticationForm(AuthenticationForm):
+ def __init__(self, request, *args, **kwargs):
+ assert isinstance(request, HttpRequest)
+ super(CustomRequestAuthenticationForm, self).__init__(request, *args, **kwargs)
+
 @never_cache
 def remote_user_auth_view(request):
  "Dummy view for remote user tests"
@@ -49,6 +55,9 @@ def auth_processor_messages(request):
 def userpage(request):
  pass
 
+def custom_request_auth_login(request):
+ return login(request, authentication_form=CustomRequestAuthenticationForm)
+
 # special urls for auth test cases
 urlpatterns = urlpatterns + patterns('',
  (r'^logout/custom_query/$', 'django.contrib.auth.views.logout', dict(redirect_field_name='follow')),
@@ -65,6 +74,7 @@ def userpage(request):
  (r'^auth_processor_perms/$', auth_processor_perms),
  (r'^auth_processor_perm_in_perms/$', auth_processor_perm_in_perms),
  (r'^auth_processor_messages/$', auth_processor_messages),
+ (r'^custom_request_auth_login/$', custom_request_auth_login),
  url(r'^userpage/(.+)/$', userpage, name="userpage"),
 )
 

django/contrib/auth/tests/views.py

@@ -365,6 +365,14 @@ def test_security_check(self, password='password'):
  self.assertTrue(good_url in response.url,
  "%s should be allowed" % good_url)
 
+ def test_login_form_contains_request(self):
+ # 15198
+ response = self.client.post('/custom_requestauth_login/', {
+ 'username': 'testclient',
+ 'password': 'password',
+ }, follow=True)
+ # the custom authentication form used by this login asserts
+ # that a request is passed to the form successfully.
 
 @skipIfCustomUser
 class LoginURLSettings(AuthViewsTestCase):

django/contrib/auth/views.py

@@ -35,7 +35,7 @@ def login(request, template_name='registration/login.html',
  redirect_to = request.REQUEST.get(redirect_field_name, '')
 
  if request.method == "POST":
- form = authentication_form(data=request.POST)
+ form = authentication_form(request, data=request.POST)
  if form.is_valid():
 
  # Ensure the user-originating redirection url is safe.