do not logout from local session on unlink (fixes #17331)

2017-07-04 12:06:26 +02:00 · 2017-07-04 12:06:26 +02:00 · 212d41fdbe
parent 9587e13780
commit 212d41fdbe
3 changed files with 29 additions and 7 deletions
--- a/src/authentic2_auth_fc/init.py
+++ b/src/authentic2_auth_fc/init.py
@ -17,7 +17,9 @@ class Plugin(object):
        return ['authentic2_auth_fc.auth_frontends.FcFrontend']

    def redirect_logout_list(self, request, **kwargs):
-        url = utils.build_logout_url(request)
+        from django.core.urlresolvers import reverse
+
+        url = utils.build_logout_url(request, next_url=reverse('auth_logout'))
        # url is assumed empty if no active session on the OP.
        if url:
            return [url]
--- a/src/authentic2_auth_fc/utils.py
+++ b/src/authentic2_auth_fc/utils.py
@ -3,23 +3,35 @@ import logging
 import os
 import json
 import datetime
+import uuid

 from django.core.urlresolvers import reverse
+from django.conf import settings
+from django.shortcuts import resolve_url

 from . import app_settings


-def build_logout_url(request):
+def build_logout_url(request, next_url=None):
    """
    For now fc_id_token in request.session is used as the flag of an
    active session on the OP. It is set in the login view and deleted in the
    logout return view.
    """
+    if not next_url:
+        next_url = resolve_url(settings.LOGIN_REDIRECT_URL)
+    state = unicode(uuid.uuid4())
+    states = request.session.setdefault('fc_states', {})
+    request.session.modified = True
+    states['state'] = {
+        'next': next_url,
+    }
    if 'fc_id_token' in request.session:
        callback = request.build_absolute_uri(reverse('fc-logout'))
        qs = {
            'id_token_hint': request.session.get('fc_id_token_raw'),
-            'post_logout_redirect_uri': callback
+            'post_logout_redirect_uri': callback,
+            'state': state,
        }
        return app_settings.logout_url + '?' + urllib.urlencode(qs)
    return None
--- a/src/authentic2_auth_fc/views.py
+++ b/src/authentic2_auth_fc/views.py
@ -22,6 +22,7 @@ from django.core.cache import InvalidCacheBackendError, caches
 from django.core.exceptions import PermissionDenied
 from django.core.urlresolvers import reverse
 from django.forms import Form
+from django.conf import settings

 from authentic2 import app_settings as a2_app_settings
 from authentic2 import utils as a2_utils
@ -409,9 +410,10 @@ class UnlinkView(LoggerMixin, SingleObjectMixin, FormView):
    template_name = 'authentic2_auth_fc/unlink.html'

    def get_success_url(self):
+        url = reverse('account_management')
        if app_settings.logout_when_unlink:
-            return reverse('auth_logout')
-        return reverse('account_management')
+            url = utils.build_logout_url(self.request, next_url=url)
+        return url

    def get_form_class(self):
        form_class = Form
@ -473,11 +475,17 @@ unlink = UnlinkView.as_view()

 class LogoutReturnView(View):
    def get(self, request, *args, **kwargs):
+        state = request.GET.get('state')
        request.session.pop('fc_id_token', None)
        request.session.pop('fc_id_token_raw', None)
        request.session.pop('fc_user_info', None)
        request.session.pop('fc_data', None)
-        request.session.pop('fc_states', None)
-        return HttpResponseRedirect(reverse('auth_logout'))
+        states = request.session.pop('fc_states', None)
+        next_url = None
+        if state in states:
+            next_url = states[state].get('next')
+        if not next_url:
+            next_url = settings.LOGIN_REDIRECT_URL
+        return HttpResponseRedirect(next_url)

 logout = LogoutReturnView.as_view()