Hi all,
I found a form of information leakage when using the @login_required decorator and setting the LOGIN_URL variable.
I have a site that requires a mandatory login for all content. The problem is that you get redirected to the login page with the next variable set when it's a existing page.
So when not logged in and asking for:
http://localhost:8000/validurl/
You see this:
http://localhost:8000/login/?next=/validurl/
And when requesting an non existing page:
http://localhost:8000/faultyurl/
You see this:
http://localhost:8000/login/
Which reveals some information that I dont want. I thought of overriding the login method, forcing the next to empty and calling 'super' on this subclassed method.
An additional problem is that some of my tests fail without the LOGIN_URL set. they redirect to '/accounts/login/' instead of '/login/'. Hence why I'd like to use the LOGIN_URL but disable the 'auto next' feature.
Anybody that can shed some light on the subject?
Thanx a lot.
Gerard.