From 4557d18a12c34e1a6a9da6ecf4cd1fc20d4b1141 Mon Sep 17 00:00:00 2001 From: Josue Kouka Date: Wed, 19 Apr 2017 10:26:18 +0200 Subject: [PATCH 3/6] cas: check if user is authorized through the client --- src/authentic2_idp_cas/views.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/authentic2_idp_cas/views.py b/src/authentic2_idp_cas/views.py index 8448e337..8dff3dab 100644 --- a/src/authentic2_idp_cas/views.py +++ b/src/authentic2_idp_cas/views.py @@ -11,7 +11,7 @@ from django.utils.timezone import now from authentic2.utils import (get_user_from_session_key, make_url, login_require, find_authentication_event, redirect, normalize_attribute_values, - attribute_values_to_identifier) + attribute_values_to_identifier, redirect_to_unauthorized) from authentic2.attributes_ng.engine import get_attributes from authentic2.constants import NONCE_FIELD_NAME from authentic2.views import logout as logout_view @@ -68,7 +68,7 @@ class CasMixin(object): st.save() if st.service.logout_url: request.session.setdefault(SESSION_CAS_LOGOUTS, []).append(( - st.service.name, + st.service.name, st.service.get_logout_url(request), st.service.logout_use_iframe, st.service.logout_use_iframe_timeout)) @@ -164,8 +164,11 @@ class ContinueView(CasMixin, View): return self.authenticate(request, st) self.validate_ticket(request, st) if st.valid(): + # check if user is authorized through this service + if not st.service.authorize(request): + return redirect_to_unauthorized(request, st.service) return redirect(request, service, params={'ticket': st.ticket_id}) - # Should not happen + # Should not happen assert False @@ -340,7 +343,7 @@ class ServiceValidateView(ValidateBaseView): class ProxyView(View): http_method_names = ['get'] - + def get(self, request): pgt = request.GET.get(PGT_PARAM) target_service_url = request.GET.get(TARGET_SERVICE_PARAM) -- 2.11.0