def validate_next_url(next_url):
"""
Non-view helper function that checks `next_url`.
Only allow redirects which are relative root or full domain (CAS, OSF and MFR).
Disallows external redirects.
:param next_url: the next url to check
:return: True if valid, False otherwise
"""
# disable external domain using `//`: the browser allows `//` as a shortcut for non-protocol specific requests
# like http:// or https:// depending on the use of SSL on the page already.
if next_url.startswith('//'):
return False
# only OSF, MFR, CAS and Branded Preprints domains are allowed
if next_url[0] == '/' or next_url.startswith(settings.DOMAIN):
# OSF
return True
if next_url.startswith(settings.CAS_SERVER_URL) or next_url.startswith(
settings.MFR_SERVER_URL):
# CAS or MFR
return True
for url in campaigns.get_external_domains():
# Branded Preprints Phase 2
if next_url.startswith(url):
return True
return False
def validate_next_url(next_url):
"""
Non-view helper function that checks `next_url`.
Only allow redirects which are relative root or full domain (CAS, OSF and MFR).
Disallows external redirects.
:param next_url: the next url to check
:return: True if valid, False otherwise
"""
# disable external domain using `//`: the browser allows `//` as a shortcut for non-protocol specific requests
# like http:// or https:// depending on the use of SSL on the page already.
if next_url.startswith('//'):
return False
# only OSF, MFR, CAS and Branded Preprints domains are allowed
if next_url[0] == '/' or next_url.startswith(settings.DOMAIN):
# OSF
return True
if next_url.startswith(settings.CAS_SERVER_URL) or next_url.startswith(settings.MFR_SERVER_URL):
# CAS or MFR
return True
for url in Region.objects.values_list('mfr_url', flat=True):
if next_url.startswith(url):
return True
for url in campaigns.get_external_domains():
# Branded Preprints Phase 2
if next_url.startswith(url):
return True
return False