0005-Use-new-CSRF-cookie-validation-on-login-view-refs-56.patch
src/authentic2/auth_frontends.py | ||
---|---|---|
29 | 29 |
form = forms.AuthenticationForm(data=data) |
30 | 30 |
is_secure = request.is_secure |
31 | 31 |
context = { |
32 | 32 |
'submit_name': self.submit_name, |
33 | 33 |
} |
34 | 34 |
seconds_to_wait = exponential_backoff.seconds_to_wait(request) |
35 | 35 |
reset = True |
36 | 36 |
if is_post and not seconds_to_wait: |
37 |
utils.csrf_token_check(request, form) |
|
37 | 38 |
reset = False |
38 | 39 |
if form.is_valid(): |
39 | 40 |
if is_secure: |
40 | 41 |
how = 'password-on-https' |
41 | 42 |
else: |
42 | 43 |
how = 'password' |
43 | 44 |
exponential_backoff.success(request) |
44 | 45 |
return utils.login(request, form.get_user(), how) |
src/authentic2/views.py | ||
---|---|---|
21 | 21 |
from django.contrib import messages |
22 | 22 |
from django.utils.translation import ugettext as _ |
23 | 23 |
from django.utils.http import urlencode, same_origin |
24 | 24 |
from django.contrib.auth import logout as auth_logout |
25 | 25 |
from django.contrib.auth import REDIRECT_FIELD_NAME |
26 | 26 |
from django.http import (HttpResponseRedirect, HttpResponseForbidden, |
27 | 27 |
HttpResponse) |
28 | 28 |
from django.core.exceptions import PermissionDenied |
29 |
from django.views.decorators.csrf import csrf_protect
|
|
29 |
from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
|
|
30 | 30 |
from django.views.decorators.cache import never_cache |
31 | 31 |
from django.contrib.auth.decorators import login_required |
32 | 32 |
from django.db.models.fields import FieldDoesNotExist |
33 | 33 | |
34 | 34 | |
35 | 35 |
# FIXME: this decorator has nothing to do with an idp, should be moved in the |
36 | 36 |
# a2 package |
37 | 37 |
# FIXME: this constant should be moved in the a2 package |
... | ... | |
175 | 175 |
return shortcuts.redirect('account_management') |
176 | 176 |
return shortcuts.redirect('email-change') |
177 | 177 | |
178 | 178 | |
179 | 179 |
email_change_verify = EmailChangeVerifyView.as_view() |
180 | 180 | |
181 | 181 |
logger = logging.getLogger('authentic2.idp.views') |
182 | 182 | |
183 |
@csrf_protect |
|
183 |
@csrf_exempt |
|
184 |
@ensure_csrf_cookie |
|
184 | 185 |
@never_cache |
185 | 186 |
def login(request, template_name='authentic2/login.html', |
186 | 187 |
redirect_field_name=REDIRECT_FIELD_NAME): |
187 | 188 |
"""Displays the login form and handles the login action.""" |
188 | 189 | |
189 | 190 |
redirect_to = request.REQUEST.get(redirect_field_name) |
190 | 191 |
if not redirect_to or ' ' in redirect_to: |
191 | 192 |
redirect_to = settings.LOGIN_REDIRECT_URL |
192 |
- |