0004-auth_oath-deny-access-to-views-on-insufficient-auth-.patch
src/authentic2/auth2_multifactor/auth_oath/urls.py | ||
---|---|---|
1 | 1 |
from django.conf.urls import url |
2 |
from django.contrib.auth.decorators import login_required |
|
3 | ||
4 |
from authentic2.decorators import required |
|
5 |
from authentic2.auth2_multifactor.decorators import auth_level_required |
|
2 | 6 | |
3 | 7 |
from . import views |
8 |
from .utils import get_authenticator_level |
|
9 | ||
4 | 10 | |
11 |
urlpatterns = required( |
|
12 |
(login_required, auth_level_required(get_authenticator_level)), [ |
|
13 |
url(r'change_secret', views.change_secret, name='totp-change-secret'), |
|
14 |
url(r'disable', views.disable, name='totp-disable'), |
|
15 |
] |
|
16 |
) |
|
5 | 17 | |
6 |
urlpatterns = [ |
|
7 |
url(r'change_secret', views.change_secret, name='totp-change-secret'), |
|
8 |
url(r'enable', views.enable, name='totp-enable'), |
|
9 |
url(r'disable', views.disable, name='totp-disable'), |
|
18 |
urlpatterns += [ |
|
19 |
url(r'enable', login_required(views.enable), name='totp-enable'), |
|
10 | 20 |
] |
src/authentic2/auth2_multifactor/auth_oath/views.py | ||
---|---|---|
1 |
from django.contrib.auth.decorators import login_required |
|
2 | 1 |
from django.template.loader import render_to_string |
3 | 2 |
from django.utils.translation import ugettext as _, ugettext_lazy |
4 | 3 |
from django.views.generic.edit import FormView |
... | ... | |
69 | 68 |
totp_login = Login.as_view() |
70 | 69 | |
71 | 70 | |
72 |
@login_required |
|
73 | 71 |
def change_secret(request): |
74 | 72 |
set_secret(request.user) |
75 | 73 |
return redirect(request, 'account_management') |
... | ... | |
105 | 103 |
authenticator_id=get_authenticator_id()) |
106 | 104 |
return super(Enable, self).set_auth_level() |
107 | 105 | |
108 |
enable = login_required(Enable.as_view())
|
|
106 |
enable = Enable.as_view()
|
|
109 | 107 | |
110 | 108 | |
111 |
@login_required |
|
112 | 109 |
def disable(request): |
113 | 110 |
try: |
114 | 111 |
factor = request.user.enabled_auth_factors.get( |
src/authentic2/auth2_multifactor/decorators.py | ||
---|---|---|
1 |
from django.core.exceptions import PermissionDenied |
|
2 | ||
3 | ||
4 |
def auth_level_required(auth_level): |
|
5 |
def actual_decorator(func): |
|
6 |
actual_auth_level = auth_level() if callable(auth_level) else auth_level |
|
7 |
def wrapped(request, *args, **kwargs): |
|
8 |
if request.session.get('auth_level', 1) < actual_auth_level: |
|
9 |
raise PermissionDenied |
|
10 |
return func(request, *args, **kwargs) |
|
11 |
return wrapped |
|
12 |
return actual_decorator |
|
0 |
- |