views: show message when logout is refused (#85904)
gitea/django-mellon/pipeline/head This commit looks good
Details
gitea/django-mellon/pipeline/head This commit looks good
Details
This commit is contained in:
parent
af81da4954
commit
51ee9d8cac
|
@ -26,7 +26,7 @@ import django.http
|
|||
import lasso
|
||||
import requests
|
||||
from django.conf import settings
|
||||
from django.contrib import auth
|
||||
from django.contrib import auth, messages
|
||||
from django.contrib.auth import REDIRECT_FIELD_NAME, get_user_model
|
||||
from django.core import signing
|
||||
from django.db import transaction
|
||||
|
@ -785,6 +785,10 @@ class LogoutView(ProfileMixin, LogMixin, View):
|
|||
return HttpResponseRedirect(next_url)
|
||||
else:
|
||||
self.log.warning('logout refused referer %r is not of the same origin', referer)
|
||||
messages.error(
|
||||
request,
|
||||
_('Logout refused, referer "{referer}" is not of the same origin.').format(referer=referer),
|
||||
)
|
||||
return HttpResponseRedirect(next_url)
|
||||
|
||||
def sp_logout_response(self, request, logout_next_url='/'):
|
||||
|
|
|
@ -963,3 +963,29 @@ def test_sso_slo_pass_login_hints_from_request(db, app, idp, caplog, sp_settings
|
|||
login_hints = root.findall('.//{https://www.entrouvert.com/}login-hint')
|
||||
assert len(login_hints) == 1, 'missing login hint'
|
||||
assert login_hints[0].text == 'azure', 'login hint is not azure'
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def connected(db, app, idp, sp_settings):
|
||||
response = app.get('/login/')
|
||||
url, body, relay_state = idp.process_authn_request_redirect(response['Location'])
|
||||
response = app.post(
|
||||
reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state}
|
||||
).follow()
|
||||
|
||||
|
||||
def test_logout_same_origin_no_referer(connected, app):
|
||||
response = app.get('/logout/')
|
||||
assert 'SAMLRequest' in response.location
|
||||
|
||||
|
||||
def test_logout_same_origin_good_referer(connected, app):
|
||||
response = app.get('/logout/', headers={'Referer': 'http://testserver/'})
|
||||
assert 'SAMLRequest' in response.location
|
||||
|
||||
|
||||
def test_logout_same_origin_bad_referer(connected, app):
|
||||
response = app.get('/logout/', headers={'Referer': 'http://other.example.com/'})
|
||||
assert response.location == '/'
|
||||
response = response.follow()
|
||||
assert 'Logout refused' in response.json['messages']
|
||||
|
|
|
@ -13,12 +13,17 @@
|
|||
# You should have received a copy of the GNU Affero General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
from django.http import HttpResponse
|
||||
from django.contrib import messages
|
||||
from django.http import JsonResponse
|
||||
from django.urls import include, path
|
||||
|
||||
|
||||
def homepage(request):
|
||||
return HttpResponse('ok')
|
||||
return JsonResponse(
|
||||
{
|
||||
'messages': '\n'.join(message.message for message in messages.get_messages(request)),
|
||||
}
|
||||
)
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
|
|
Loading…
Reference in New Issue