cleanup of session code, garbage collect variables once they are no longer...

cleanup of session code, garbage collect variables once they are no longer needed, ensured failed passwords retain return_url without error

cleanup of session code, garbage collect variables once they are no longer...
a4f1c47f · Ben Adida · 9f6fec5a · a4f1c47f · a4f1c47f · a4f1c47f
Commit a4f1c47f authored 14 years ago by Ben Adida
--- a/auth/auth_systems/password.py
+++ b/auth/auth_systems/password.py
@@ -45,18 +45,18 @@ def password_login_view(request):
  else:
    form = LoginForm(request.POST)
+    # set this in case we came here straight from the multi-login chooser
+    # and thus did not have a chance to hit the "start/password" URL
+    request.session['auth_system_name'] = 'password'
+    if request.POST.has_key('return_url'):
+      request.session['auth_return_url'] = request.POST.get('return_url')
    if form.is_valid():
      username = form.cleaned_data['username'].strip()
      password = form.cleaned_data['password'].strip()
      try:
        user = User.get_by_type_and_id('password', username)
        if password_check(user, password):
-          # set this in case we came here from another location than 
-          # the normal login process
-          request.session['auth_system_name'] = 'password'
-          if request.POST.has_key('return_url'):
-            request.session['auth_return_url'] = request.POST.get('return_url')
          request.session['password_user'] = user
          return HttpResponseRedirect(reverse(after))
      except User.DoesNotExist:
@@ -102,6 +102,7 @@ def get_auth_url(request, redirect_url = None):
 def get_user_info_after_auth(request):
  user = request.session['password_user']
+  del request.session['password_user']
  user_info = user.info
  return {'type': 'password', 'user_id' : user.user_id, 'name': user.name, 'info': user.info, 'token': None}

--- a/auth/templates/password/login.html
+++ b/auth/templates/password/login.html
@@ -14,7 +14,7 @@
 {% endif %}
 <p>
-<form class="prettyform" action="" method="POST" id="create_election_form">
+<form class="prettyform" action="" method="POST" id="login_form">
    <input type="hidden" name="csrf_token" value="{{csrf_token}}" />
 <table>
    {{form.as_table}}

--- a/auth/views.py
+++ b/auth/views.py
@@ -90,7 +90,6 @@ def do_local_logout(request):
  fields_to_save = dict([(name, request.session.get(name, None)) for name in field_names_to_save])
  # let's not forget to save the list of fields to save
-  field_names_to_save.append(FIELDS_TO_SAVE)
  fields_to_save[FIELDS_TO_SAVE] = field_names_to_save
  request.session.flush()
@@ -98,6 +97,9 @@ def do_local_logout(request):
  for name in field_names_to_save:
    request.session[name] = fields_to_save[name]
+  # copy the list of fields to save
+  request.session[FIELDS_TO_SAVE] = fields_to_save[FIELDS_TO_SAVE]
  request.session['user_for_remote_logout'] = user
 def do_remote_logout(request, user, return_url="/"):
@@ -105,8 +107,10 @@ def do_remote_logout(request, user, return_url="/"):
  auth_system = AUTH_SYSTEMS[user['type']]
  # does the auth system have a special logout procedure?
+  user_for_remote_logout = request.session.get('user_for_remote_logout', None)
+  del request.session['user_for_remote_logout']
  if hasattr(auth_system, 'do_logout'):
-    response = auth_system.do_logout(request.session.get('user_for_remote_logout', None))
+    response = auth_system.do_logout(user_for_remote_logout)
    return response
 def do_complete_logout(request, return_url="/"):
@@ -186,5 +190,9 @@ def after(request):
  return HttpResponseRedirect(reverse(after_intervention))
 def after_intervention(request):
-  return HttpResponseRedirect(request.session['auth_return_url'] or "/")
+  return_url = "/"
+  if request.session.has_key('auth_return_url'):
+    return_url = request.session['auth_return_url']
+    del request.session['auth_return_url']
+  return HttpResponseRedirect(return_url)