Commits

Luke Plant committed b2ec25b

Made secure download links redirect to login (and made it work for our login page)

Comments (0)

Files changed (2)

cciw/officers/views.py

 import datetime
 import operator
+import urlparse
 
 from django import forms
 from django.conf import settings
 from django.contrib.admin.views.decorators import staff_member_required
+from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.contrib.auth.decorators import user_passes_test
 from django.contrib.auth.models import User
 from django.contrib import messages
 @never_cache
 def index(request):
     """Displays a list of links/buttons for various actions."""
+
+    # Handle redirects, since this page is LOGIN_URL
+    redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, '')
+    if redirect_to:
+        netloc = urlparse.urlparse(redirect_to)[1]
+        # Heavier security check -- don't allow redirection to a different
+        # host.
+        if netloc == '' or netloc == request.get_host():
+            return HttpResponseRedirect(redirect_to)
+
     user = request.user
     c = {}
     c['thisyear'] = common.get_thisyear()

securedownload/views.py

 import os
 import posixpath
 import urllib
+
 from django.conf import settings
+from django.contrib.auth.views import redirect_to_login
 from django.http import Http404, HttpResponseRedirect, HttpResponseForbidden
 from django.utils.crypto import salted_hmac
 
                 raise Http404()
             return serve_secure_file(os.path.join(folder, fname))
         else:
+            user = getattr(request, 'user', None)
+            if user is not None and not user.is_authenticated():
+                # redirect to login
+                return redirect_to_login(request.get_full_path())
             return HttpResponseForbidden("<h1>Access denied</h1>")
     return view
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.