From 7fd8f8f0e48462f3a00240204d3be3674b6ee41d Mon Sep 17 00:00:00 2001 From: Karl Hobley Date: Thu, 2 Apr 2015 17:03:56 +0100 Subject: [PATCH 1/2] Update session auth hash on password change Fixes #1124 Report and suggested fix by @AtomicSpark When SessionAuthenticationMiddleware is enabled, the change password form will kick the user out of all their sessions, including the one they just changed their password in. This change prevents the middleware from kicking the user out of the current session (but they will still be kicked out all other sessions) See: https://docs.djangoproject.com/en/dev/topics/auth/default/#session-invalidation-on-password-change --- wagtail/tests/settings.py | 1 + wagtail/wagtailadmin/views/account.py | 2 ++ 2 files changed, 3 insertions(+) diff --git a/wagtail/tests/settings.py b/wagtail/tests/settings.py index 0fb085b6c..23bae88f8 100644 --- a/wagtail/tests/settings.py +++ b/wagtail/tests/settings.py @@ -43,6 +43,7 @@ MIDDLEWARE_CLASSES = ( 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', + 'django.contrib.auth.middleware.SessionAuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', diff --git a/wagtail/wagtailadmin/views/account.py b/wagtail/wagtailadmin/views/account.py index 8e758c36e..77a45eb3b 100644 --- a/wagtail/wagtailadmin/views/account.py +++ b/wagtail/wagtailadmin/views/account.py @@ -3,6 +3,7 @@ from django.shortcuts import render, redirect from django.contrib import messages from django.contrib.auth.forms import SetPasswordForm from django.contrib.auth.views import logout as auth_logout, login as auth_login +from django.contrib.auth import update_session_auth_hash from django.utils.translation import ugettext as _ from django.views.decorators.debug import sensitive_post_parameters from django.views.decorators.cache import never_cache @@ -32,6 +33,7 @@ def change_password(request): if form.is_valid(): form.save() + update_session_auth_hash(request, form.user) messages.success(request, _("Your password has been changed successfully!")) return redirect('wagtailadmin_account') From 7ff9f3ee50a51fa73d0fe0d4e504f4b41922bf13 Mon Sep 17 00:00:00 2001 From: Matt Westcott Date: Wed, 8 Apr 2015 11:49:19 +0100 Subject: [PATCH 2/2] Release note for #1147 --- CHANGELOG.txt | 1 + docs/releases/1.0.rst | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index a4847f3d7..8f24e5a97 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -42,6 +42,7 @@ Changelog * Added hook `construct_homepage_summary_items` for customising the site summary panel on the admin homepage * No longer automatically tries to use Celery for sending notification emails * Added "Add child page" button to admin userbar (Eric Drechsel) + * Fix: Prevent logout on changing password when SessionAuthenticationMiddleware is in use 0.8.6 (10.03.2015) diff --git a/docs/releases/1.0.rst b/docs/releases/1.0.rst index f694a45c4..e01c93fb5 100644 --- a/docs/releases/1.0.rst +++ b/docs/releases/1.0.rst @@ -108,6 +108,7 @@ Bug fixes * The ``document_served`` signal now correctly passes the Document class as ``sender`` and the document as ``instance`` * Image edit page no longer throws ``OSError`` when the original image is missing + * Users are no longer logged out on changing password when SessionAuthenticationMiddleware is in use Upgrade considerations