From 3b68382a2f919f1c4d657704c3b7c6c9e2daba59 Mon Sep 17 00:00:00 2001 From: Sergei Maertens Date: Mon, 26 Feb 2024 16:43:41 +0100 Subject: [PATCH] :bug: Ensure that mfa-disabled logins respect the ?next= query param --- maykin_2fa/views.py | 5 +++++ tests/test_admin_login_flow.py | 21 +++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/maykin_2fa/views.py b/maykin_2fa/views.py index 6a3d2d2..15248cc 100644 --- a/maykin_2fa/views.py +++ b/maykin_2fa/views.py @@ -46,6 +46,11 @@ def get_redirect_url(self): def get_context_data(self, form, **kwargs): context = super().get_context_data(form, **kwargs) + + # upstream doesn't provide a value for the "next" context variable at all + redirect_to = self.request.GET.get(self.redirect_field_name, "") + context.setdefault("next", redirect_to) + context.update( { **admin.site.each_context(self.request), diff --git a/tests/test_admin_login_flow.py b/tests/test_admin_login_flow.py index d97586f..3ba0828 100644 --- a/tests/test_admin_login_flow.py +++ b/tests/test_admin_login_flow.py @@ -76,3 +76,24 @@ def test_non_verified_user_is_logged_out(settings, totp_device, client: Client): assert login_response.wsgi_request.path == admin_login_url assertTemplateUsed(login_response, "maykin_2fa/login.html") assertContains(login_response, "Token") + + +def test_mfa_disabled_respects_next_parameter(settings, client: Client, admin_user): + settings.MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = settings.AUTHENTICATION_BACKENDS + admin_login_url = reverse("admin:login") + + login_page = client.get(admin_login_url, {"next": "/admin/auth/user/"}) + + assert login_page.context["next"] == "/admin/auth/user/" + + login_response = client.post( + admin_login_url, + data={ + "admin_login_view-current_step": "auth", + "auth-username": admin_user.username, + "auth-password": "password", + "next": "/admin/auth/user/", + }, + follow=True, + ) + assert login_response.wsgi_request.path == "/admin/auth/user/"