From 9a100b1f5559c3cec636b04737d5ab659a805909 Mon Sep 17 00:00:00 2001 From: Aditya Bansal Date: Mon, 12 Mar 2018 16:55:50 +0530 Subject: [PATCH] auth.py: Make redirects to 'next' url work for dev environment. This makes these redirects work for the local authentication backend. --- templates/zerver/dev_login.html | 4 ++-- zerver/tests/test_auth_backends.py | 14 ++++++++++++++ zerver/views/auth.py | 13 ++++++++++++- 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/templates/zerver/dev_login.html b/templates/zerver/dev_login.html index 9580d3eca8..a32db335dd 100644 --- a/templates/zerver/dev_login.html +++ b/templates/zerver/dev_login.html @@ -17,7 +17,7 @@

{{ _('Administrators') }}

{% if direct_admins %} {% for direct_admin in direct_admins %} -

{% endfor %} {% else %} @@ -29,7 +29,7 @@

{{ _('Normal users') }}

{% if direct_users %} {% for direct_user in direct_users %} -

{% endfor %} {% else %} diff --git a/zerver/tests/test_auth_backends.py b/zerver/tests/test_auth_backends.py index f455b52da9..f4b7b37da6 100644 --- a/zerver/tests/test_auth_backends.py +++ b/zerver/tests/test_auth_backends.py @@ -1459,6 +1459,20 @@ class TestDevAuthBackend(ZulipTestCase): self.assertEqual(result.status_code, 302) self.assertEqual(get_session_dict_user(self.client.session), user_profile.id) + def test_redirect_to_next_url(self) -> None: + def do_local_login(formaction: Text) -> HttpResponse: + user_email = self.example_email('hamlet') + data = {'direct_email': user_email} + return self.client_post(formaction, data) + + res = do_local_login('/accounts/login/local/') + self.assertEqual(res.status_code, 302) + self.assertEqual(res.url, 'http://zulip.testserver') + + res = do_local_login('/accounts/login/local/?next=/user_uploads/path_to_image') + self.assertEqual(res.status_code, 302) + self.assertEqual(res.url, 'http://zulip.testserver/user_uploads/path_to_image') + def test_login_with_subdomain(self) -> None: user_profile = self.example_user('hamlet') email = user_profile.email diff --git a/zerver/views/auth.py b/zerver/views/auth.py index 9ebbd11c2d..4bf3dcd5f4 100644 --- a/zerver/views/auth.py +++ b/zerver/views/auth.py @@ -16,6 +16,7 @@ from django.shortcuts import redirect, render from django.views.decorators.csrf import csrf_exempt from django.views.decorators.http import require_GET from django.utils.translation import ugettext as _ +from django.utils.http import is_safe_url from django.core import signing import urllib from typing import Any, Dict, List, Optional, Tuple, Text @@ -47,6 +48,13 @@ import requests import time import ujson +def get_safe_redirect_to(url: Text, redirect_host: Text) -> Text: + is_url_safe = is_safe_url(url=url, host=redirect_host) + if is_url_safe: + return urllib.parse.urljoin(redirect_host, url) + else: + return redirect_host + def create_preregistration_user(email: Text, request: HttpRequest, realm_creation: bool=False, password_required: bool=True) -> HttpResponse: realm = None @@ -591,7 +599,10 @@ def dev_direct_login(request: HttpRequest, **kwargs: Any) -> HttpResponse: if user_profile is None: return HttpResponseRedirect(reverse('dev_not_supported')) do_login(request, user_profile) - return HttpResponseRedirect(user_profile.realm.uri) + + next = request.GET.get('next', '') + redirect_to = get_safe_redirect_to(next, user_profile.realm.uri) + return HttpResponseRedirect(redirect_to) @csrf_exempt @require_post