views: show message when logout is refused (#85904)
gitea/django-mellon/pipeline/head This commit looks good
Details
gitea/django-mellon/pipeline/head This commit looks good
Details
This commit is contained in:
parent
af81da4954
commit
51ee9d8cac
|
@ -26,7 +26,7 @@ import django.http
|
||||||
import lasso
|
import lasso
|
||||||
import requests
|
import requests
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
from django.contrib import auth
|
from django.contrib import auth, messages
|
||||||
from django.contrib.auth import REDIRECT_FIELD_NAME, get_user_model
|
from django.contrib.auth import REDIRECT_FIELD_NAME, get_user_model
|
||||||
from django.core import signing
|
from django.core import signing
|
||||||
from django.db import transaction
|
from django.db import transaction
|
||||||
|
@ -785,6 +785,10 @@ class LogoutView(ProfileMixin, LogMixin, View):
|
||||||
return HttpResponseRedirect(next_url)
|
return HttpResponseRedirect(next_url)
|
||||||
else:
|
else:
|
||||||
self.log.warning('logout refused referer %r is not of the same origin', referer)
|
self.log.warning('logout refused referer %r is not of the same origin', referer)
|
||||||
|
messages.error(
|
||||||
|
request,
|
||||||
|
_('Logout refused, referer "{referer}" is not of the same origin.').format(referer=referer),
|
||||||
|
)
|
||||||
return HttpResponseRedirect(next_url)
|
return HttpResponseRedirect(next_url)
|
||||||
|
|
||||||
def sp_logout_response(self, request, logout_next_url='/'):
|
def sp_logout_response(self, request, logout_next_url='/'):
|
||||||
|
|
|
@ -963,3 +963,29 @@ def test_sso_slo_pass_login_hints_from_request(db, app, idp, caplog, sp_settings
|
||||||
login_hints = root.findall('.//{https://www.entrouvert.com/}login-hint')
|
login_hints = root.findall('.//{https://www.entrouvert.com/}login-hint')
|
||||||
assert len(login_hints) == 1, 'missing login hint'
|
assert len(login_hints) == 1, 'missing login hint'
|
||||||
assert login_hints[0].text == 'azure', 'login hint is not azure'
|
assert login_hints[0].text == 'azure', 'login hint is not azure'
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.fixture
|
||||||
|
def connected(db, app, idp, sp_settings):
|
||||||
|
response = app.get('/login/')
|
||||||
|
url, body, relay_state = idp.process_authn_request_redirect(response['Location'])
|
||||||
|
response = app.post(
|
||||||
|
reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state}
|
||||||
|
).follow()
|
||||||
|
|
||||||
|
|
||||||
|
def test_logout_same_origin_no_referer(connected, app):
|
||||||
|
response = app.get('/logout/')
|
||||||
|
assert 'SAMLRequest' in response.location
|
||||||
|
|
||||||
|
|
||||||
|
def test_logout_same_origin_good_referer(connected, app):
|
||||||
|
response = app.get('/logout/', headers={'Referer': 'http://testserver/'})
|
||||||
|
assert 'SAMLRequest' in response.location
|
||||||
|
|
||||||
|
|
||||||
|
def test_logout_same_origin_bad_referer(connected, app):
|
||||||
|
response = app.get('/logout/', headers={'Referer': 'http://other.example.com/'})
|
||||||
|
assert response.location == '/'
|
||||||
|
response = response.follow()
|
||||||
|
assert 'Logout refused' in response.json['messages']
|
||||||
|
|
|
@ -13,12 +13,17 @@
|
||||||
# You should have received a copy of the GNU Affero General Public License
|
# You should have received a copy of the GNU Affero General Public License
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
from django.http import HttpResponse
|
from django.contrib import messages
|
||||||
|
from django.http import JsonResponse
|
||||||
from django.urls import include, path
|
from django.urls import include, path
|
||||||
|
|
||||||
|
|
||||||
def homepage(request):
|
def homepage(request):
|
||||||
return HttpResponse('ok')
|
return JsonResponse(
|
||||||
|
{
|
||||||
|
'messages': '\n'.join(message.message for message in messages.get_messages(request)),
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
urlpatterns = [
|
urlpatterns = [
|
||||||
|
|
Loading…
Reference in New Issue