Do not let non-staff users to log in via CMS Toolbar (django-cms#6705)

beastman · FinalAngel · commit 88098dcdca22 · 2019-11-12T13:06:11.000+01:00
diff --git a/cms/forms/login.py b/cms/forms/login.py
@@ -1,8 +1,8 @@
 from django import forms
-from django.contrib.auth.forms import AuthenticationForm
+from django.contrib.admin.forms import AdminAuthenticationForm
 
 
-class CMSToolbarLoginForm(AuthenticationForm):
+class CMSToolbarLoginForm(AdminAuthenticationForm):
 
     def __init__(self, *args, **kwargs):
         super(CMSToolbarLoginForm, self).__init__(*args, **kwargs)
diff --git a/cms/tests/test_toolbar.py b/cms/tests/test_toolbar.py
@@ -187,6 +187,15 @@ def test_toolbar_login(self):
         self.assertRedirects(response, '/en/admin/')
         self.assertTrue(settings.SESSION_COOKIE_NAME in response.cookies)
 
+    def test_toolbar_login_non_staff(self):
+        admin = self.get_nonstaff()
+        endpoint = reverse('cms_login') + '?next=/en/admin/'
+        username = getattr(admin, get_user_model().USERNAME_FIELD)
+        password = getattr(admin, get_user_model().USERNAME_FIELD)
+        response = self.client.post(endpoint, data={'username': username, 'password': password})
+        self.assertRedirects(response, '/en/admin/?cms_toolbar_login_error=1', target_status_code=302)
+        self.assertFalse(settings.SESSION_COOKIE_NAME in response.cookies)
+
     def test_toolbar_login_error(self):
         admin = self.get_superuser()
         endpoint = reverse('cms_login') + '?next=/en/admin/'
