Projet

Général

Profil

0002-views-validates-logout-next-URL-33087.patch

Benjamin Dauvergne, 14 mai 2019 17:04

Télécharger (2,43 ko)

Voir les différences: 

Subject: [PATCH 2/2] views: validates logout next URL (#33087)


 src/authentic2/views.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)
src/authentic2/views.py
529 529 

  		




  530
  530
  
    
def logout(request,

  		




  531
  531
  
    
           next_url=None,

  		




  532
  
  
    
           default_next_url='auth_homepage',

  		




  533
  
  
    
           redirect_field_name=REDIRECT_FIELD_NAME,

  		




  534
  
  
    
           template='authentic2/logout.html',

  		




  535
  532
  
    
           do_local=True,

  		




  536
  533
  
    
           check_referer=True):

  		




  537
  534
  
    
    '''Logout first check if a logout request is authorized, i.e.

  		




  ......




  541
  538
  
    
       Logout endpoints of IdP module must re-user the view by setting

  		




  542
  539
  
    
       check_referer and do_local to False.

  		




  543
  540
  
    
    '''

  		




  544
  
  
    
    default_next_url = utils.make_url(default_next_url)

  		




  545
  
  
    
    next_url = next_url or request.GET.get(redirect_field_name, default_next_url)

  		




  
  541
  
    
    next_url = next_url or utils.select_next_url(request, settings.LOGIN_REDIRECT_URL)

  		




  
  542
  
    

  		




  546
  543
  
    
    ctx = {}

  		




  547
  544
  
    
    ctx['next_url'] = next_url

  		




  548
  545
  
    
    ctx['redir_timeout'] = 60

  		




  549
  546
  
    
    local_logout_done = False

  		




  
  547
  
    

  		




  550
  548
  
    
    if request.user.is_authenticated():

  		




  551
  549
  
    
        if check_referer and not utils.check_referer(request):

  		




  552
  550
  
    
            return render(request, 'authentic2/logout_confirm.html', ctx)

  		




  ......




  561
  559
  
    
                ctx['next_url'] = next_url

  		




  562
  560
  
    
                ctx['logout_list'] = fragments

  		




  563
  561
  
    
                ctx['message'] = _('Logging out from all your services')

  		




  564
  
  
    
                return render(request, template, ctx)

  		




  
  562
  
    
                return render(request, 'authentic2/logout.html', ctx)

  		




  565
  563
  
    
        # Get redirection targets for full logout with redirections

  		




  566
  564
  
    
        # (needed before local logout)

  		




  567
  565
  
    
        targets = redirect_logout_list(request)

  		




  ......




  583
  581
  
    
        next_url = targets.pop(0)

  		




  584
  582
  
    
        request.session['logout_redirections'] = targets

  		




  585
  583
  
    
    logger.debug('Next redirection : {}'.format(next_url))

  		




  586
  
  
    
    response = utils.redirect(request, next_url)

  		




  
  584
  
    
    response = shortcuts.redirect(next_url)

  		




  587
  585
  
    
    if local_logout_done:

  		




  588
  586
  
    
        response.set_cookie('a2_just_logged_out', 1, max_age=60)

  		




  589
  587
  
    
        messages.info(request, _('You have been logged out'))

  		




  590
  
  
    
-