Security issue if INSTALLED in production even with DEBUG=False

[sssbox]

The login function has no security to protect people viewing a production site from manually POSTing to /users/login/1 if you don't entirely disable the plugin by having overridden or different settings between dev and prod (probably a good idea, but easy to overlook by assuming "if DjDT doesn't show up the panels are probably all disabled").

Example of this error:

• In settings.py DEBUG=False
• In chrome, inspect element on any page, manually add <form method="POST" action="/users/login/1"><input type="submit" /></form>
• Click submit and you should be logged in as user 1

Solution: Easiest is to add from django.conf import settings to the top and if not settings.DEBUG: return HttpResponseBadRequest() right under line 42

Other somewhat unsafe ideas:

• Warn all users to only have it in INSTALLED APPS/urls.py on dev instances in the README
• Make it possible to be able to use it even if DEBUG=False when
  • user is superuser (can't switch back) or
  • user is in some list of users (can't switch back) or
  • IP in INTERNAL_IPS (spoofable if server mishandles x_forwarded_for and someone fakes a proxied request?)

[lamby]

Pushed a fix; could you have a look? Many many thanks for reporting :)

I think this happened because I tend to conditionally include(...) the Debug Toolbar URLs when DEBUG=True due to some unrelated messing around with urls.py so I never really thought it was an issue.

[sssbox]

Yup, that works!

And I doubt it's something anyone would ever exploit but it's a pretty easy fix to be able to not worry about someone getting hacked should this become a more commonly used debug tool.