From 66c8ecd8cd197abf3843040bec721f167b844e69 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Thu, 2 Oct 2014 21:47:37 +0200 Subject: [PATCH 1/5] Use setting CSRF_FAILURE_VIEW to prevent user seeing 403 on CSRF failure, instead redirect them to the same page and display a warning (refs #5617) --- src/authentic2/settings.py | 2 ++ src/authentic2/views.py | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/src/authentic2/settings.py b/src/authentic2/settings.py index b6c380f..06c6fc6 100644 --- a/src/authentic2/settings.py +++ b/src/authentic2/settings.py @@ -130,16 +130,18 @@ INSTALLED_APPS = tuple(plugins.register_plugins_installed_apps(INSTALLED_APPS)) # authentication AUTHENTICATION_BACKENDS = ( 'authentic2.backends.ldap_backend.LDAPBackend', 'authentic2.backends.ldap_backend.LDAPBackendPasswordLost', 'authentic2.backends.models_backend.ModelBackend', ) AUTHENTICATION_BACKENDS = plugins.register_plugins_authentication_backends( AUTHENTICATION_BACKENDS) +CSRF_FAILURE_VIEW = 'authentic2.views.csrf_failure_view' + LOGIN_REDIRECT_URL = '/' LOGIN_URL = '/login/' LOGOUT_URL = '/logout/' # Registration ACCOUNT_ACTIVATION_DAYS = 2 diff --git a/src/authentic2/views.py b/src/authentic2/views.py index e644a76..59151c7 100644 --- a/src/authentic2/views.py +++ b/src/authentic2/views.py @@ -467,8 +467,12 @@ class LoggedInView(View): def get(self, request, *args, **kwargs): if not self.check_referrer(): return HttpResponseForbidden() callback = request.GET.get('callback') content = u'{0}({1})'.format(callback, int(request.user.is_authenticated())) return HttpResponse(content, content_type='application/json') logged_in = never_cache(LoggedInView.as_view()) + +def csrf_failure_view(request, reason=""): + messages.warning(request, _('The page is out of date, it was reloaded for you')) + return HttpResponseRedirect(request.get_full_path()) -- 1.9.1