Luke Plant committed b2ec25b

Made secure download links redirect to login (and made it work for our login page)

  • Participants
  • Parent commits 4284601

Comments (0)

Files changed (2)

File cciw/officers/

 import datetime
 import operator
+import urlparse
 from django import forms
 from django.conf import settings
 from django.contrib.admin.views.decorators import staff_member_required
+from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.contrib.auth.decorators import user_passes_test
 from django.contrib.auth.models import User
 from django.contrib import messages
 def index(request):
     """Displays a list of links/buttons for various actions."""
+    # Handle redirects, since this page is LOGIN_URL
+    redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, '')
+    if redirect_to:
+        netloc = urlparse.urlparse(redirect_to)[1]
+        # Heavier security check -- don't allow redirection to a different
+        # host.
+        if netloc == '' or netloc == request.get_host():
+            return HttpResponseRedirect(redirect_to)
     user = request.user
     c = {}
     c['thisyear'] = common.get_thisyear()

File securedownload/

 import os
 import posixpath
 import urllib
 from django.conf import settings
+from django.contrib.auth.views import redirect_to_login
 from django.http import Http404, HttpResponseRedirect, HttpResponseForbidden
 from django.utils.crypto import salted_hmac
                 raise Http404()
             return serve_secure_file(os.path.join(folder, fname))
+            user = getattr(request, 'user', None)
+            if user is not None and not user.is_authenticated():
+                # redirect to login
+                return redirect_to_login(request.get_full_path())
             return HttpResponseForbidden("<h1>Access denied</h1>")
     return view