Opened 7 years ago

Closed 7 years ago

#6310 closed (duplicate)

@permission_required / _CheckLogin attempt to authenticate authenticated users rather saying permission denied.

Reported by: greencm Owned by: nobody
Component: Contrib apps Version: master
Severity: Keywords: auth cas
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

In developing django_cas, I would like it to be a drop-in augmentation for contrib.auth. CAS is essentially designed to have a separate server provide SSO for authentication data rather than checking a local password store.

The code we currently have works great for everything but the default contrib.auth.decorators.

@permission_required is essentially two checks:

1) Check they are authenticated
2) Check they have the right permissions

If this fails, direct the user to the login page.

In the CAS world (and presumably other similar architectures), directing the user back to the login url pushes them to the SSO server, the login server says the user is authenticated, directs them back to the original url (decorated by @permission_required), and then back to the SSO server in an infinite loop.

I would like to change the semantics of _CheckLogin to redirect only unauthenticated users to the login page and provide an HttpResponseForbidden error otherwise.

Attachments (1)

contrib_auth_decorators.patch (1.7 KB) - added by greencm 7 years ago.
patch to replace implement desired behavior

Download all attachments as: .zip

Change History (5)

Changed 7 years ago by greencm

patch to replace implement desired behavior

comment:1 Changed 7 years ago by greencm

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Just as a note:

self.client.login(user='not_allowed',password='password')
response = self.client.get('/limited_access/')
# no permission, get redirected to login page
self.failUnlessEqual(response.status_code, 403), "Must need to install contrib.auth patch?"


# the status_code will be 302 redirect in the traditional setup.

comment:2 Changed 7 years ago by Simon Greenhill <dev@…>

  • Triage Stage changed from Unreviewed to Design decision needed

Hi, can you raise this issue on django-developers?

comment:3 Changed 7 years ago by Matthijs Kooijman <matthijs@…>

This seems to be the same issue as #4617.

comment:4 Changed 7 years ago by SmileyChris

  • Resolution set to duplicate
  • Status changed from new to closed

Yep, marking as dupe

Note: See TracTickets for help on using tickets.
Back to Top