0001-idp_oidc-ban-any-ou-based-authz-from-service-authz-p.patch
src/authentic2/views.py | ||
---|---|---|
23 | 23 |
from ratelimit.utils import is_ratelimited |
24 | 24 | |
25 | 25 |
from django.conf import settings |
26 |
from django.contrib.contenttypes.models import ContentType |
|
26 | 27 |
from django.shortcuts import render, get_object_or_404 |
27 | 28 |
from django.template.loader import render_to_string |
28 | 29 |
from django.views.generic.edit import UpdateView, FormView |
... | ... | |
1285 | 1286 | |
1286 | 1287 |
def get_context_data(self, **kwargs): |
1287 | 1288 |
from authentic2_idp_oidc.models import OIDCAuthorization |
1289 |
from authentic2_idp_oidc.models import OIDCClient |
|
1288 | 1290 | |
1289 | 1291 |
context = super(AuthorizedOauthServicesView, self).get_context_data(**kwargs) |
1292 |
service_ct = ContentType.objects.get_for_model(OIDCClient) |
|
1290 | 1293 |
context['authorized_oauth_services'] = OIDCAuthorization.objects.filter( |
1291 |
user=self.request.user) |
|
1294 |
user=self.request.user, client_ct=service_ct)
|
|
1292 | 1295 |
return context |
1293 | 1296 | |
1294 | 1297 |
def post(self, request, *args, **kwargs): |
1295 | 1298 |
from authentic2_idp_oidc.models import OIDCAuthorization |
1299 |
from authentic2_idp_oidc.models import OIDCClient |
|
1296 | 1300 | |
1297 |
qs = OIDCAuthorization.objects.filter(user=request.user) |
|
1301 |
service_ct = ContentType.objects.get_for_model(OIDCClient) |
|
1302 |
qs = OIDCAuthorization.objects.filter( |
|
1303 |
user=request.user, client_ct=service_ct) |
|
1298 | 1304 |
auth_id = request.POST.get('auth_id') |
1299 | 1305 |
if auth_id: |
1300 | 1306 |
qs = qs.filter(id=auth_id) |
tests/test_idp_oidc.py | ||
---|---|---|
44 | 44 |
from authentic2.a2_rbac.utils import get_default_ou |
45 | 45 |
from authentic2.utils import make_url |
46 | 46 |
from authentic2_auth_oidc.utils import parse_timestamp |
47 |
from django_rbac.utils import get_ou_model |
|
47 | 48 |
from django_rbac.utils import get_role_model |
48 | 49 | |
49 | 50 |
User = get_user_model() |
... | ... | |
1624 | 1625 |
OIDCAuthorization.objects.create( |
1625 | 1626 |
client=oidc_client, user=simple_user, scopes='openid profile email', |
1626 | 1627 |
expired=now() + datetime.timedelta(days=2)) |
1628 |
# create an ou-based authz that should not appear here |
|
1629 |
OU = get_ou_model() |
|
1630 |
ou1 = OU.objects.create(name='Orgunit1', slug='orgunit1') |
|
1631 |
OIDCAuthorization.objects.create( |
|
1632 |
client=ou1, user=simple_user, scopes='openid profile email', |
|
1633 |
expired=now() + datetime.timedelta(days=2)) |
|
1627 | 1634 | |
1628 | 1635 |
response = app.get(url, status=200) |
1629 | 1636 |
assert "You have granted 3 services access to your account profile data." |
1630 |
- |