Projet

Général

Profil

0005-Use-new-CSRF-cookie-validation-on-login-view-refs-56.patch

Benjamin Dauvergne, 06 mars 2015 16:25

Télécharger (3,01 ko)

Voir les différences: 

Subject: [PATCH 5/5] Use new CSRF cookie validation on login view (refs #5617)


 src/authentic2/auth_frontends.py | 1 +
 src/authentic2/views.py          | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)
src/authentic2/auth_frontends.py
29 29 
        form = forms.AuthenticationForm(data=data)
30 30 
        is_secure = request.is_secure
31 31 
        context = {
32 32 
            'submit_name': self.submit_name,
33 33 
        }
34 34 
        seconds_to_wait = exponential_backoff.seconds_to_wait(request)
35 35 
        reset = True
36 36 
        if is_post and not seconds_to_wait:
37 
            utils.csrf_token_check(request, form)
37 38 
            reset = False
38 39 
            if form.is_valid():
39 40 
                if is_secure:
40 41 
                    how = 'password-on-https'
41 42 
                else:
42 43 
                    how = 'password'
43 44 
                exponential_backoff.success(request)
44 45 
                return utils.login(request, form.get_user(), how)
src/authentic2/views.py
21 21 
from django.contrib import messages
22 22 
from django.utils.translation import ugettext as _
23 23 
from django.utils.http import urlencode, same_origin
24 24 
from django.contrib.auth import logout as auth_logout
25 25 
from django.contrib.auth import REDIRECT_FIELD_NAME
26 26 
from django.http import (HttpResponseRedirect, HttpResponseForbidden,
27 27 
    HttpResponse)
28 28 
from django.core.exceptions import PermissionDenied
29 
from django.views.decorators.csrf import csrf_protect
29 
from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
30 30 
from django.views.decorators.cache import never_cache
31 31 
from django.contrib.auth.decorators import login_required
32 32 
from django.db.models.fields import FieldDoesNotExist
33 33 

  		




  34
  34
  
    

  		




  35
  35
  
    
# FIXME: this decorator has nothing to do with an idp, should be moved in the

  		




  36
  36
  
    
# a2 package

  		




  37
  37
  
    
# FIXME: this constant should be moved in the a2 package

  		




  ......




  175
  175
  
    
                return shortcuts.redirect('account_management')

  		




  176
  176
  
    
        return shortcuts.redirect('email-change')

  		




  177
  177
  
    

  		




  178
  178
  
    

  		




  179
  179
  
    
email_change_verify = EmailChangeVerifyView.as_view()

  		




  180
  180
  
    

  		




  181
  181
  
    
logger = logging.getLogger('authentic2.idp.views')

  		




  182
  182
  
    

  		




  183
  
  
    
@csrf_protect

  		




  
  183
  
    
@csrf_exempt

  		




  
  184
  
    
@ensure_csrf_cookie

  		




  184
  185
  
    
@never_cache

  		




  185
  186
  
    
def login(request, template_name='authentic2/login.html',

  		




  186
  187
  
    
          redirect_field_name=REDIRECT_FIELD_NAME):

  		




  187
  188
  
    
    """Displays the login form and handles the login action."""

  		




  188
  189
  
    

  		




  189
  190
  
    
    redirect_to = request.REQUEST.get(redirect_field_name)

  		




  190
  191
  
    
    if not redirect_to or ' ' in redirect_to:

  		




  191
  192
  
    
        redirect_to = settings.LOGIN_REDIRECT_URL

  		




  192
  
  
    
-