0002-views-improve-handling-of-next_url-for-sp-initiated-.patch
mellon/views.py | ||
---|---|---|
723 | 723 | |
724 | 724 |
def sp_logout_request(self, request): |
725 | 725 |
'''Launch a logout request to the identity provider''' |
726 |
next_url = request.GET.get(REDIRECT_FIELD_NAME) |
|
727 | 726 |
referer = request.headers.get('Referer') |
727 |
field_next_url = request.GET.get(REDIRECT_FIELD_NAME) |
|
728 |
next_url = None |
|
729 |
if field_next_url and utils.same_origin(request.build_absolute_uri(), field_next_url): |
|
730 |
next_url = field_next_url |
|
731 |
next_url = next_url or '/' |
|
728 | 732 |
if not referer or utils.same_origin(request.build_absolute_uri(), referer): |
729 | 733 |
if hasattr(request, 'user') and request.user.is_authenticated: |
730 | 734 |
logout = None |
... | ... | |
754 | 758 |
self.log.info('user logged out, SLO request sent to IdP') |
755 | 759 |
else: |
756 | 760 |
# anonymous user: if next_url is None redirect to referer |
757 |
return HttpResponseRedirect(next_url or referer)
|
|
761 |
return HttpResponseRedirect(next_url) |
|
758 | 762 |
else: |
759 | 763 |
self.log.warning('logout refused referer %r is not of the same origin', referer) |
760 | 764 |
return HttpResponseRedirect(next_url) |
... | ... | |
774 | 778 |
self.log.warning('partial logout') |
775 | 779 |
except lasso.Error as e: |
776 | 780 |
self.log.warning('unable to process a logout response: %s', e) |
777 |
return HttpResponseRedirect(resolve_url(settings.LOGIN_REDIRECT_URL)) |
|
778 |
next_url = self.get_next_url(default=resolve_url(settings.LOGIN_REDIRECT_URL)) |
|
779 |
return HttpResponseRedirect(next_url) |
|
781 |
return HttpResponseRedirect(self.get_next_url() or '/') |
|
780 | 782 | |
781 | 783 | |
782 | 784 |
logout = csrf_exempt(LogoutView.as_view()) |
tests/test_sso_slo.py | ||
---|---|---|
254 | 254 | |
255 | 255 |
# again, user is already logged out |
256 | 256 |
response = app.get(reverse('mellon_logout'), extra_environ={'HTTP_REFERER': '/some/path'}) |
257 |
assert urlparse.urlparse(response['Location']).path == '/some/path'
|
|
257 |
assert urlparse.urlparse(response['Location']).path == '/' |
|
258 | 258 | |
259 | 259 | |
260 | 260 |
def test_sso_slo_next(db, app, idp, caplog, sp_settings): |
261 | 261 |
response = app.get(reverse('mellon_login')) |
262 | 262 |
url, body, relay_state = idp.process_authn_request_redirect(response['Location']) |
263 | 263 |
response = app.post(reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state}) |
264 |
response = app.get(reverse('mellon_logout') + '?next=/some/path/') |
|
264 |
response = app.get( |
|
265 |
reverse('mellon_logout') + '?next=/some/path/', extra_environ={'HTTP_REFERER': '/other/path'} |
|
266 |
) |
|
265 | 267 |
assert urlparse.urlparse(response['Location']).path == '/singleLogout' |
266 | 268 |
url = idp.process_logout_request_redirect(response.location) |
267 | 269 |
response = app.get(url) |
268 |
- |