projects / astakos / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Explicitly allow only POST and GET requests
[astakos] / snf-astakos-app / astakos / im / target / local.py
diff --git a/snf-astakos-app/astakos/im/target/local.py b/snf-astakos-app/astakos/im/target/local.py
index aecf44c..25c02cd 100644 (file)
--- a/snf-astakos-app/astakos/im/target/local.py
+++ b/snf-astakos-app/astakos/im/target/local.py
@@ -38,8 +38,9 @@ from django.contrib.auth import authenticate
 from django.contrib import messages
 from django.utils.translation import ugettext as _
 from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.http import require_http_methods
 
-from astakos.im.util import prepare_response
+from astakos.im.util import prepare_response, get_query
 from astakos.im.views import requires_anonymous
 from astakos.im.models import AstakosUser
 from astakos.im.forms import LoginForm
@@ -50,6 +51,7 @@ from ratelimit.decorators import ratelimit
 retries = RATELIMIT_RETRIES_ALLOWED-1
 rate = str(retries)+'/m'
 
+@require_http_methods(["GET", "POST"])
 @csrf_exempt
 @requires_anonymous
 @ratelimit(field='username', method='POST', rate=rate)
@@ -59,7 +61,7 @@ def login(request, on_failure='im/login.html'):
     """
     was_limited = getattr(request, 'limited', False)
     form = LoginForm(data=request.POST, was_limited=was_limited, request=request)
-    next = request.POST.get('next')
+    next = get_query(request).get('next', '')
     if not form.is_valid():
         return render_to_response(on_failure,
                                   {'login_form':form,
Unnamed repository; edit this file 'description' to name the repository.