First name, last name and email address leak in fo

2020-07-28 00:00发布

we have implemented django-allauth into our web app and we are facing random leaks.

When a new user enters signup page, sometimes user sees first name, last name and email address of lastly logged user prefilled in signup form. This occurs really randomly, just sometimes. This also happens in profile edit form, which is just simple django form taking instance of user from self.request.user in CBV (FormView) like this:

def get_form_kwargs(self):
    kwargs = super(ProfileView, self).get_form_kwargs()
    kwargs.update({
        'instance': self.request.user
    })
    return kwargs

We are using basic default setup of allauth from the website installation instructions. We use it as for now just for email registration and login.

allauth settings.py (all other settings we have the same like in instructions eg. installed apps, middlewares etc):

# DJANGO-ALLAUTH
ACCOUNT_ADAPTER = 'users.adapter.AccountAdapter'
LOGIN_URL = '/accounts/login/'
LOGIN_REDIRECT_URL = 'bookings:booking_add'
ACCOUNT_FORMS = {'signup': 'users.forms.SignupForm', }
ACCOUNT_AUTHENTICATION_METHOD = 'email'
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_EMAIL_VERIFICATION = 'none'
ACCOUNT_USERNAME_REQUIRED = False
ACCOUNT_CONFIRM_EMAIL_ON_GET = True
ACCOUNT_LOGOUT_ON_GET = True
SOCIALACCOUNT_EMAIL_VERIFICATION = 'none'
ACCOUNT_EMAIL_SUBJECT_PREFIX = ""
ACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION = True

AUTH_USER_MODEL = 'users.User'

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend',
    'allauth.account.auth_backends.AuthenticationBackend',
)

as signupView we use default one, but we also tried adding never_cache decorator (did not help):

class SignupView(AllauthSignupView):
    template_name = 'account/signup.html'

signup = never_cache(SignupView.as_view())

SignupForm, overriding default one:

class SignupForm(AllauthSignupForm):
    """ django-allauth usage defined in settings in ACCOUNT_FORMS"""
    title = forms.CharField(label=_('Title'), widget=forms.Select(choices=choices.USER_TITLE))
    first_name = forms.CharField(label=_('First Name'))
    last_name = forms.CharField(label=_('Last Name'))
    email = forms.EmailField(widget=forms.TextInput(attrs={'type': 'email',}))
    password1 = SetPasswordField(label=_("Password"))
    password2 = CustomPasswordField(label=_("Password (again)"))

    def __init__(self, *args, **kwargs):

        super(SignupForm, self).__init__(*args, **kwargs)
        set_form_field_order(self, ["title", "first_name", "last_name", "email", "password1", "password2"])
        for field in self.fields:
            self.fields[field].widget.attrs['class'] = 'mdl-textfield__input'

    class Meta:
        fields = ('title', 'first_name', 'last_name', 'email', 'password1', 'password2')

We use default allauth LoginForm and LoginView.

It's Django 1.8.7, nginx (1 process), gunicorn (4 workers) running through supervisor (as 1 process).

1条回答
【Aperson】
2楼-- · 2020-07-28 00:35

We have found troubles causing this on another form when we had something like this in Django CBV FormView:

def get_initial(self):
    user = self.request.user
    if something:
        self.initial.update({
            'title': user.title,
            'first_name': user.first_name,
            'last_name': user.last_name,
            'email': user.email,
            'phone': user.phone,
            'street': user.street,
            'city': user.city,
            'zip_code': user.zip_code,
            'country': user.country
        })
    return self.initial

we have fixed this as follows:

def get_initial(self):
    user = self.request.user
    initial = super(PassengerAddStep1FormView, self).get_initial()
    if something:
        initial.update({
            'title': user.title,
            'first_name': user.first_name,
            'last_name': user.last_name,
            'email': user.email,
            'phone': user.phone,
            'street': user.street,
            'city': user.city,
            'zip_code': user.zip_code,
            'country': user.country
        })
    return initial
查看更多
登录 后发表回答