0004-auth_oath-deny-access-to-views-on-insufficient-auth-.patch

Valentin Deniaud, 29 mai 2019 15:51

Voir les différences: en ligne côte à côte

Subject: [PATCH 4/4] auth_oath: deny access to views on insufficient auth
 level

 .../auth2_multifactor/auth_oath/urls.py        | 18 ++++++++++++++----
 .../auth2_multifactor/auth_oath/views.py       |  5 +----
 src/authentic2/auth2_multifactor/decorators.py | 12 ++++++++++++
 3 files changed, 27 insertions(+), 8 deletions(-)
 create mode 100644 src/authentic2/auth2_multifactor/decorators.py

     from django.conf.urls import url
     from django.contrib.auth.decorators import login_required
     from authentic2.decorators import required
     from authentic2.auth2_multifactor.decorators import auth_level_required
     from . import views
     from .utils import get_authenticator_level
     urlpatterns = required(
         (login_required, auth_level_required(get_authenticator_level)), [
             url(r'change_secret', views.change_secret, name='totp-change-secret'),
             url(r'disable', views.disable, name='totp-disable'),
+        ]
+    )
     urlpatterns = [
         url(r'change_secret', views.change_secret, name='totp-change-secret'),
         url(r'enable', views.enable, name='totp-enable'),
         url(r'disable', views.disable, name='totp-disable'),
     urlpatterns += [
             url(r'enable', login_required(views.enable), name='totp-enable'),
+    ]

     from django.contrib.auth.decorators import login_required
     from django.template.loader import render_to_string
     from django.utils.translation import ugettext as _, ugettext_lazy
     from django.views.generic.edit import FormView
-...
     totp_login = Login.as_view()
     @login_required
     def change_secret(request):
         set_secret(request.user)
         return redirect(request, 'account_management')
-...
                 authenticator_id=get_authenticator_id())
             return super(Enable, self).set_auth_level()
     enable = login_required(Enable.as_view())
     enable = Enable.as_view()
     @login_required
     def disable(request):
         try:
             factor = request.user.enabled_auth_factors.get(

     from django.core.exceptions import PermissionDenied
     def auth_level_required(auth_level):
         def actual_decorator(func):
             actual_auth_level = auth_level() if callable(auth_level) else auth_level
             def wrapped(request, *args, **kwargs):
                 if request.session.get('auth_level', 1) < actual_auth_level:
                     raise PermissionDenied
                 return func(request, *args, **kwargs)
             return wrapped
         return actual_decorator
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0004-auth_oath-deny-access-to-views-on-insufficient-auth-.patch