2023-12-21 13:48:26 +01:00
2 changed files with 8 additions and 9 deletions
--- a/src/authentic2_idp_cas/models.py
+++ b/src/authentic2_idp_cas/models.py
@ -22,7 +22,7 @@ from django.utils.translation import gettext_lazy as _

 from authentic2.models import LogoutUrlAbstract
 from authentic2.models import Service as BaseService
-from authentic2.utils.misc import check_session_key
+from authentic2.utils.misc import get_user_from_session_key

 from . import constants, managers, utils

@ -141,11 +141,12 @@ class Ticket(models.Model):

    def session_exists(self):
        '''Verify if the session linked to this ticket is still active'''
-        if self.session_key:
-            return check_session_key(self.session_key)
-        else:
+        if not self.session_key:
            return True

+        user = get_user_from_session_key(self.session_key)
+        return user == self.user
+
    def expired(self):
        '''Check if the given ticket has expired'''
        if self.expire:
--- a/src/authentic2_idp_cas/views.py
+++ b/src/authentic2_idp_cas/views.py
@ -31,7 +31,6 @@ from authentic2.utils import hooks
 from authentic2.utils.misc import (
    attribute_values_to_identifier,
    find_authentication_event,
-    get_user_from_session_key,
    login_require,
    make_url,
    normalize_attribute_values,
@ -262,6 +261,8 @@ class ValidateBaseView(CasMixin, View):
            if not st.valid() or renew and not st.renew:
                return self.validation_failure(request, service, INVALID_TICKET_SPEC_ERROR)
            attributes = self.get_attributes(request, st)
+            if attributes is None:
+                return self.validation_failure(request, service, INVALID_TICKET_ERROR)
            if st.service.identifier_attribute not in attributes:
                self.logger.error(
                    'unable to compute an identifier for user %r and service %s',
@ -280,13 +281,10 @@ class ValidateBaseView(CasMixin, View):
        '''Retrieve attribute for users of the session linked to the ticket'''
        if not hasattr(st, 'attributes'):
            wanted_attributes = st.service.get_wanted_attributes()
-            user = get_user_from_session_key(st.session_key)
-            assert user.pk  # not an annymous user
-            assert st.user_id == user.pk  # session user matches ticket user
            st.attributes = get_attributes(
                {
                    'request': request,
-                    'user': user,
+                    'user': st.user,
                    'service': st.service,
                    '__wanted_attributes': wanted_attributes,
                }