From 729365b6c96b2f89631bcd79c43690d5ca644624 Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Tue, 2 Apr 2019 16:54:08 +0200
Subject: [PATCH 3/4] views: handle authentication level when logging in
 (#33550)

---
 src/authentic2/views.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/authentic2/views.py b/src/authentic2/views.py
index c7bee83c..3fa4ae0b 100644
--- a/src/authentic2/views.py
+++ b/src/authentic2/views.py
@@ -271,11 +271,19 @@ email_change_verify = EmailChangeVerifyView.as_view()
 def login(request, template_name='authentic2/login.html',
           redirect_field_name=REDIRECT_FIELD_NAME):
     """Displays the login form and handles the login action."""
+    current_auth_level = request.session.get('auth_level', 1)
+    if request.user.is_authenticated():
+        # prevent skipping authentication levels
+        target_auth_level = min(int(request.GET.get('auth_level', 1)),
+                                current_auth_level + 1)
+    else:
+        target_auth_level = 1
 
     # redirect user to homepage if already connected, if setting
     # A2_LOGIN_REDIRECT_AUTHENTICATED_USERS_TO_HOMEPAGE is True
     if (request.user.is_authenticated()
-            and app_settings.A2_LOGIN_REDIRECT_AUTHENTICATED_USERS_TO_HOMEPAGE):
+            and app_settings.A2_LOGIN_REDIRECT_AUTHENTICATED_USERS_TO_HOMEPAGE
+            and not target_auth_level > current_auth_level):
         return utils.redirect(request, 'auth_homepage')
 
     redirect_to = request.GET.get(redirect_field_name)
@@ -290,7 +298,7 @@ def login(request, template_name='authentic2/login.html',
             redirect_to = settings.LOGIN_REDIRECT_URL
     nonce = request.GET.get(constants.NONCE_FIELD_NAME)
 
-    authenticators = utils.get_backends('AUTH_FRONTENDS')
+    authenticators = utils.get_backends('AUTH_FRONTENDS', target_auth_level)
 
     blocks = []
 
@@ -410,7 +418,7 @@ class ProfileView(cbv.TemplateNamesMixin, TemplateView):
 
     def get_context_data(self, **kwargs):
         context = super(ProfileView, self).get_context_data(**kwargs)
-        frontends = utils.get_backends('AUTH_FRONTENDS')
+        frontends = utils.get_backends('AUTH_FRONTENDS', required_auth_level=0)
 
         request = self.request
 
-- 
2.20.1