0001-idp_oidc-ban-any-ou-based-authz-from-service-authz-p.patch
src/authentic2/views.py | ||
---|---|---|
23 | 23 |
from ratelimit.utils import is_ratelimited |
24 | 24 | |
25 | 25 |
from django.conf import settings |
26 |
from django.contrib.contenttypes.models import ContentType |
|
26 | 27 |
from django.shortcuts import render, get_object_or_404 |
27 | 28 |
from django.template.loader import render_to_string |
28 | 29 |
from django.views.generic.edit import UpdateView, FormView |
... | ... | |
1285 | 1286 | |
1286 | 1287 |
def get_context_data(self, **kwargs): |
1287 | 1288 |
from authentic2_idp_oidc.models import OIDCAuthorization |
1289 |
from authentic2_idp_oidc.models import OIDCClient |
|
1288 | 1290 | |
1289 | 1291 |
context = super(AuthorizedOauthServicesView, self).get_context_data(**kwargs) |
1292 |
service_ct = ContentType.objects.get_for_model(OIDCClient) |
|
1290 | 1293 |
context['authorized_oauth_services'] = OIDCAuthorization.objects.filter( |
1291 |
user=self.request.user) |
|
1294 |
user=self.request.user, client_ct=service_ct)
|
|
1292 | 1295 |
return context |
1293 | 1296 | |
1294 | 1297 |
def post(self, request, *args, **kwargs): |
1295 | 1298 |
from authentic2_idp_oidc.models import OIDCAuthorization |
1299 |
from authentic2_idp_oidc.models import OIDCClient |
|
1296 | 1300 | |
1297 |
qs = OIDCAuthorization.objects.filter(user=request.user) |
|
1301 |
service_ct = ContentType.objects.get_for_model(OIDCClient) |
|
1302 |
qs = OIDCAuthorization.objects.filter( |
|
1303 |
user=request.user, client_ct=service_ct) |
|
1298 | 1304 |
auth_id = request.POST.get('auth_id') |
1299 | 1305 |
if auth_id: |
1300 | 1306 |
qs = qs.filter(id=auth_id) |
tests/test_idp_oidc.py | ||
---|---|---|
1624 | 1624 |
OIDCAuthorization.objects.create( |
1625 | 1625 |
client=oidc_client, user=simple_user, scopes='openid profile email', |
1626 | 1626 |
expired=now() + datetime.timedelta(days=2)) |
1627 |
# create an ou-based authz that should not appear here |
|
1628 |
OU = get_ou_model() |
|
1629 |
ou = OU.objects.create(name='Ou1', slug='ou1') |
|
1630 |
OIDCAuthorization.objects.create( |
|
1631 |
client=ou1, user=simple_user, scopes='openid profile email', |
|
1632 |
expired=now() + datetite.timedelta(day=2)) |
|
1627 | 1633 | |
1628 | 1634 |
response = app.get(url, status=200) |
1629 | 1635 |
assert "You have granted 3 services access to your account profile data." |
1630 |
- |