def handle(self, request):
next = request.GET.get(REDIRECT_FIELD_NAME, '')
if not is_safe_url(next, host=request.get_host()):
next = auth.get_login_url()
logout(request)
request.user = AnonymousUser()
return self.redirect(next)
def auth(request, backend):
"""Authenticate using social backend"""
data = request.POST if request.method == "POST" else request.GET
# Save extra data into session.
for field_name in setting("SOCIAL_AUTH_FIELDS_STORED_IN_SESSION", []):
if field_name in data:
request.session[field_name] = data[field_name]
# Save any defined next value into session
if REDIRECT_FIELD_NAME in data:
# Check and sanitize a user-defined GET/POST next field value
redirect = data[REDIRECT_FIELD_NAME]
# NOTE: django-sudo's `is_safe_url` is much better at catching bad
# redirections to different domains than social_auth's
# `sanitize_redirect` call.
if not is_safe_url(redirect, host=request.get_host()):
redirect = DEFAULT_REDIRECT
request.session[REDIRECT_FIELD_NAME] = redirect or DEFAULT_REDIRECT
# Clean any partial pipeline info before starting the process
clean_partial_pipeline(request)
if backend.uses_redirect:
return HttpResponseRedirect(backend.auth_url())
else:
return HttpResponse(backend.auth_html(), content_type="text/html;charset=UTF-8")
def auth_process(request, backend):
"""Authenticate using social backend"""
data = request.POST if request.method == 'POST' else request.GET
# Save extra data into session.
for field_name in setting('SOCIAL_AUTH_FIELDS_STORED_IN_SESSION', []):
if field_name in data:
request.session[field_name] = data[field_name]
# Save any defined next value into session
if REDIRECT_FIELD_NAME in data:
# Check and sanitize a user-defined GET/POST next field value
redirect = data[REDIRECT_FIELD_NAME]
# NOTE: django-sudo's `is_safe_url` is much better at catching bad
# redirections to different domains than social_auth's
# `sanitize_redirect` call.
if not is_safe_url(redirect, host=request.get_host()):
redirect = DEFAULT_REDIRECT
request.session[REDIRECT_FIELD_NAME] = redirect or DEFAULT_REDIRECT
# Clean any partial pipeline info before starting the process
clean_partial_pipeline(request)
if backend.uses_redirect:
return HttpResponseRedirect(backend.auth_url())
else:
return HttpResponse(backend.auth_html(),
content_type='text/html;charset=UTF-8')
def grant_sudo_privileges(self, request, redirect_to):
grant_sudo_privileges(request)
# Restore the redirect destination from the GET request
redirect_to = request.session.pop(REDIRECT_TO_FIELD_NAME, redirect_to)
# Double check we're not redirecting to other sites
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = resolve_url(REDIRECT_URL)
return HttpResponseRedirect(redirect_to)
def test_success(self):
urls = (
('/', None),
('/foo/', None),
('/', 'example.com'),
('http://example.com/foo', 'example.com'),
)
for url in urls:
self.assertTrue(is_safe_url(*url))
def grant_sudo_privileges(self, request, redirect_to):
grant_sudo_privileges(request)
# Restore the redirect destination from the GET request
redirect_to = request.session.pop(REDIRECT_TO_FIELD_NAME,
redirect_to)
# Double check we're not redirecting to other sites
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = resolve_url(REDIRECT_URL)
return HttpResponseRedirect(redirect_to)
def test_failure(self):
urls = (
(None, None),
('', ''),
('http://mattrobenolt.com/', 'example.com'),
('///example.com/', None),
('ftp://example.com', 'example.com'),
('http://example.com\@mattrobenolt.com', 'example.com'),
('http:///example.com', 'example.com'),
('\x08//example.com', 'example.com'),
)
for url in urls:
self.assertFalse(is_safe_url(*url))
def disconnect(request, backend, association_id=None):
"""Disconnects given backend from current logged in user."""
backend.disconnect(request.user, association_id)
data = request.REQUEST
if REDIRECT_FIELD_NAME in data:
redirect = data[REDIRECT_FIELD_NAME]
# NOTE: Django's `is_safe_url` is much better at catching bad
# redirections to different domains than social_auth's
# `sanitize_redirect` call.
if not is_safe_url(redirect, host=request.get_host()):
redirect = DEFAULT_REDIRECT
else:
redirect = backend_setting(backend, 'SOCIAL_AUTH_DISCONNECT_REDIRECT_URL')
if not redirect:
redirect = DEFAULT_REDIRECT
return HttpResponseRedirect(redirect)
def handle(self, request, organization, project, group_id, slug):
group = get_object_or_404(Group, pk=group_id, project=project)
try:
plugin = plugins.get(slug)
except KeyError:
raise Http404("Plugin not found")
GroupMeta.objects.populate_cache([group])
response = plugin.get_view_response(request, group)
if response:
return response
redirect = request.META.get("HTTP_REFERER", "")
if not is_safe_url(redirect, host=request.get_host()):
redirect = u"/{}/{}/".format(organization.slug, group.project.slug)
return HttpResponseRedirect(redirect)
def handle(self, request, organization, team, project, group_id, slug):
group = get_object_or_404(Group, pk=group_id, project=project)
try:
plugin = plugins.get(slug)
except KeyError:
raise Http404('Plugin not found')
GroupMeta.objects.populate_cache([group])
response = plugin.get_view_response(request, group)
if response:
return response
redirect = request.META.get('HTTP_REFERER', '')
if not is_safe_url(redirect, host=request.get_host()):
redirect = '/{}/{}/'.format(
organization.slug,
group.project.slug,
)
return HttpResponseRedirect(redirect)
def dispatch(self, request):
redirect_to = request.GET.get(REDIRECT_FIELD_NAME, REDIRECT_URL)
# Make sure we're not redirecting to other sites
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = resolve_url(REDIRECT_URL)
if request.is_sudo():
return HttpResponseRedirect(redirect_to)
if request.method == 'GET':
request.session[REDIRECT_TO_FIELD_NAME] = redirect_to
context = {
'form': self.form_class(request.user, request.POST or None),
'request': request,
REDIRECT_FIELD_NAME: redirect_to,
}
if self.handle_sudo(request, redirect_to, context):
return self.grant_sudo_privileges(request, redirect_to)
if self.extra_context is not None:
context.update(self.extra_context)
return TemplateResponse(request, self.template_name, context)
def dispatch(self, request):
redirect_to = request.GET.get(REDIRECT_FIELD_NAME, REDIRECT_URL)
# Make sure we're not redirecting to other sites
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = resolve_url(REDIRECT_URL)
if request.is_sudo():
return HttpResponseRedirect(redirect_to)
if request.method == 'GET':
request.session[REDIRECT_TO_FIELD_NAME] = redirect_to
context = {
'form': self.form_class(request.user, request.POST or None),
'request': request,
REDIRECT_FIELD_NAME: redirect_to,
}
if self.handle_sudo(request, redirect_to, context):
return self.grant_sudo_privileges(request, redirect_to)
if self.extra_context is not None:
context.update(self.extra_context)
return TemplateResponse(request, self.template_name, context)
def is_valid_redirect(url, host=None):
if not url:
return False
if url.startswith(get_login_url()):
return False
return is_safe_url(url, host=host)
def is_valid_redirect(url, host=None):
if not url:
return False
if url.startswith(get_login_url()):
return False
return is_safe_url(url, host=host)
def redirect(self, request):
next = request.GET.get(REDIRECT_FIELD_NAME, '')
if not is_safe_url(next, host=request.get_host()):
next = auth.get_login_url()
return super(AuthLogoutView, self).redirect(next)
