views: show message when logout is refused (#85904)

2024-01-19 17:44:15 +01:00 · 2024-01-19 17:44:15 +01:00 · 51ee9d8cac
parent af81da4954
commit 51ee9d8cac
3 changed files with 38 additions and 3 deletions
--- a/mellon/views.py
+++ b/mellon/views.py
@ -26,7 +26,7 @@ import django.http
 import lasso
 import requests
 from django.conf import settings
-from django.contrib import auth
+from django.contrib import auth, messages
 from django.contrib.auth import REDIRECT_FIELD_NAME, get_user_model
 from django.core import signing
 from django.db import transaction
@ -785,6 +785,10 @@ class LogoutView(ProfileMixin, LogMixin, View):
                return HttpResponseRedirect(next_url)
        else:
            self.log.warning('logout refused referer %r is not of the same origin', referer)
+            messages.error(
+                request,
+                _('Logout refused, referer "{referer}" is not of the same origin.').format(referer=referer),
+            )
        return HttpResponseRedirect(next_url)

    def sp_logout_response(self, request, logout_next_url='/'):
--- a/tests/test_sso_slo.py
+++ b/tests/test_sso_slo.py
@ -963,3 +963,29 @@ def test_sso_slo_pass_login_hints_from_request(db, app, idp, caplog, sp_settings
    login_hints = root.findall('.//{https://www.entrouvert.com/}login-hint')
    assert len(login_hints) == 1, 'missing login hint'
    assert login_hints[0].text == 'azure', 'login hint is not azure'
+
+
+@pytest.fixture
+def connected(db, app, idp, sp_settings):
+    response = app.get('/login/')
+    url, body, relay_state = idp.process_authn_request_redirect(response['Location'])
+    response = app.post(
+        reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state}
+    ).follow()
+
+
+def test_logout_same_origin_no_referer(connected, app):
+    response = app.get('/logout/')
+    assert 'SAMLRequest' in response.location
+
+
+def test_logout_same_origin_good_referer(connected, app):
+    response = app.get('/logout/', headers={'Referer': 'http://testserver/'})
+    assert 'SAMLRequest' in response.location
+
+
+def test_logout_same_origin_bad_referer(connected, app):
+    response = app.get('/logout/', headers={'Referer': 'http://other.example.com/'})
+    assert response.location == '/'
+    response = response.follow()
+    assert 'Logout refused' in response.json['messages']
--- a/tests/urls_tests.py
+++ b/tests/urls_tests.py
@ -13,12 +13,17 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

-from django.http import HttpResponse
+from django.contrib import messages
+from django.http import JsonResponse
 from django.urls import include, path


 def homepage(request):
-    return HttpResponse('ok')
+    return JsonResponse(
+        {
+            'messages': '\n'.join(message.message for message in messages.get_messages(request)),
+        }
+    )


 urlpatterns = [