Django登录错误凭据返回200不是401 [英] Django login with wrong credentials returns 200 not 401

问题描述

这是一个非常直接的测试，但我似乎无法正确的。

This is a pretty straight forward test, but I can't seem to get it right.

我想检查哪些用户可以登录和执行操作（它是一部分更大的测试套件），但第一步导致一些问题。

I want to check which users can login and perform actions (it's part of a larger suite of tests), but the very first step causes some issues.

class SuperUserTest(TestCase):
    def setUp(self):
        self.client = Client()
        self.su = User.objects.create_superuser('super','','the_correct_password')
    def test_su_can_login(self):
        response = self.client.post(reverse('django.contrib.auth.views.login'),
            {'username': 'super', 'password': 'the_wrong_password'})
        self.assertEqual(response.status_code,401)

        # Success redirects to the homepage, so its 302 not 200
        response = self.client.post(reverse('django.contrib.auth.views.login'),
            {'username': 'super', 'password': 'the_correct_password'})
        self.assertEqual(response.status_code,302)

当我运行测试我得到：

(my_app)00:20 ~/my_app (master)$ ./manage.py test my_app.SuperUserTest
Creating test database for alias 'default'...
F
======================================================================
FAIL: test_su_can_login (my_app.SuperUserTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./my_app/tests.py", line 341, in test_su_can_login
    self.assertEqual(response.status_code,401)
AssertionError: 200 != 401

----------------------------------------------------------------------
Ran 1 test in 1.180s

FAILED (failures=1)
Destroying test database for alias 'default'...

为什么django返回HTTP代码 200 不正确登录？

Why is django returning HTTP code 200 when I incorrectly login?

对于其他上下文，这里是我如何管理登录/注销URL：

For additional context, here is how I'm managing the login/logout urls:

urlpatterns = patterns('',
    # Examples:
    url(r'^accounts/login/?$', 'django.contrib.auth.views.login'),
    url(r'^accounts/logout/?$', 'django.contrib.auth.views.logout',
        {'next_page': '/'}),

推荐答案

网络社区有一些关于对凭据失败的正确响应的争论（例如，这里是一个 Wordpress票关于从 200 切换到 401 ）。 Django选择返回 200 响应以及重新呈现的表单。

There's some debate in the web community about what the right response to a credentials failure is (for example, here's a Wordpress ticket about switching from 200 to 401). Django chooses to return a 200 response along with the re-rendered form.

在我看来，这是正确的做法。 401 或 403 响应表示用户没有访问资源（URL）的权限。但在这种情况下，资源是登录点，而您不需要凭据来访问;根据定义，所有用户都可以使用它。所以本质上这种情况与任何其他表单验证没有区别 - 服务器正在检查它发送的输入，如果它们无效，它返回一个 200 表单和错误消息。

In my opinion this is the right approach. A 401 or 403 response indicates that the user doesn't have permission to access the resource (URL). But in this case the resource is the login point, and you don't need credentials to access that; by definition it's available to all users. So essentially this case is no different from any other form validation—the server is checking the inputs it was sent, and if they're invalid it returns a 200 response along with the form and an error message.

这篇关于Django登录错误凭据返回200不是401的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！