##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
auth: use consistent way of extracting came_from, and also sanitise it to remove...
marcink -
r2074:46bdf527 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -280,6 +280,23 b' def generate_auth_token(data, salt=None)'
280 return hashlib.sha1(safe_str(data) + salt).hexdigest()
280 return hashlib.sha1(safe_str(data) + salt).hexdigest()
281
281
282
282
283 def get_came_from(request):
284 """
285 get query_string+path from request sanitized after removing auth_token
286 """
287 _req = request
288
289 path = _req.path
290 if 'auth_token' in _req.GET:
291 # sanitize the request and remove auth_token for redirection
292 _req.GET.pop('auth_token')
293 qs = _req.query_string
294 if qs:
295 path += '?' + qs
296
297 return path
298
299
283 class CookieStoreWrapper(object):
300 class CookieStoreWrapper(object):
284
301
285 def __init__(self, cookie_store):
302 def __init__(self, cookie_store):
@@ -1465,7 +1482,8 b' class LoginRequired(object):'
1465 % (user, reason, loc, ip_access_valid,
1482 % (user, reason, loc, ip_access_valid,
1466 auth_token_access_valid))
1483 auth_token_access_valid))
1467 # we preserve the get PARAM
1484 # we preserve the get PARAM
1468 came_from = request.path_qs
1485 came_from = get_came_from(request)
1486
1469 log.debug('redirecting to login page with %s' % (came_from,))
1487 log.debug('redirecting to login page with %s' % (came_from,))
1470 raise HTTPFound(
1488 raise HTTPFound(
1471 h.route_path('login', _query={'came_from': came_from}))
1489 h.route_path('login', _query={'came_from': came_from}))
@@ -1494,7 +1512,7 b' class NotAnonymous(object):'
1494 anonymous = self.user.username == User.DEFAULT_USER
1512 anonymous = self.user.username == User.DEFAULT_USER
1495
1513
1496 if anonymous:
1514 if anonymous:
1497 came_from = request.path_qs
1515 came_from = get_came_from(request)
1498 h.flash(_('You need to be a registered user to '
1516 h.flash(_('You need to be a registered user to '
1499 'perform this action'),
1517 'perform this action'),
1500 category='warning')
1518 category='warning')
@@ -1519,12 +1537,6 b' class PermsDecorator(object):'
1519 def _get_request(self):
1537 def _get_request(self):
1520 return get_request(self)
1538 return get_request(self)
1521
1539
1522 def _get_came_from(self):
1523 _request = self._get_request()
1524
1525 # both pylons/pyramid has this attribute
1526 return _request.path_qs
1527
1528 def __wrapper(self, func, *fargs, **fkwargs):
1540 def __wrapper(self, func, *fargs, **fkwargs):
1529 import rhodecode.lib.helpers as h
1541 import rhodecode.lib.helpers as h
1530 cls = fargs[0]
1542 cls = fargs[0]
@@ -1542,7 +1554,7 b' class PermsDecorator(object):'
1542 anonymous = _user.username == User.DEFAULT_USER
1554 anonymous = _user.username == User.DEFAULT_USER
1543
1555
1544 if anonymous:
1556 if anonymous:
1545 came_from = self._get_came_from()
1557 came_from = get_came_from(self._get_request())
1546 h.flash(_('You need to be signed in to view this page'),
1558 h.flash(_('You need to be signed in to view this page'),
1547 category='warning')
1559 category='warning')
1548 raise HTTPFound(
1560 raise HTTPFound(
Show file before | Show file after | Hide comments
@@ -42,4 +42,8 b' def test_connect_redirection_links():'
42
42
43 for link_data in routing_links.link_config:
43 for link_data in routing_links.link_config:
44 response = requests.get(link_data['target'])
44 response = requests.get(link_data['target'])
45 assert response.url == link_data['external_target']
45 if link_data['name'] == 'enterprise_license_convert_from_old':
46 # special case for a page that requires a valid login
47 assert response.url == 'https://rhodecode.com/login'
48 else:
49 assert response.url == link_data['external_target']
General Comments 0
You need to be logged in to leave comments. Login now