From d1c5ff4019f2a3d67a9bb7ba7309957ee61d8deb Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Wed, 22 Jun 2016 12:46:18 +0200 Subject: [PATCH] Use session to transmist username/ticket from fedeare view to login view Hence, these parameter are not recorder in the user history, and thus the user username do not apear anymore in the history. This respect more the user privacy. --- cas_server/federate.py | 1 - cas_server/views.py | 22 +++++++++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/cas_server/federate.py b/cas_server/federate.py index 682f35b..64fa96b 100644 --- a/cas_server/federate.py +++ b/cas_server/federate.py @@ -29,7 +29,6 @@ class CASFederateValidateUser(object): service_url=service_url, version=version, server_url=server_url, - extra_login_params={"provider": provider}, renew=False, ) diff --git a/cas_server/views.py b/cas_server/views.py index 0c2dc73..eb0f2d3 100644 --- a/cas_server/views.py +++ b/cas_server/views.py @@ -215,8 +215,9 @@ class FederateAuth(View): else: ticket = request.GET['ticket'] if auth.verify_ticket(ticket): - params = utils.copy_params(request.GET) - params['username'] = "%s@%s" % (auth.username, auth.provider) + params = utils.copy_params(request.GET, ignore={"ticket"}) + request.session["federate_username"] = "%s@%s" % (auth.username, auth.provider) + request.session["federate_ticket"] = ticket url = utils.reverse_params("cas_server:login", params) return HttpResponseRedirect(url) else: @@ -242,6 +243,10 @@ class LoginView(View, LogoutMixin): renewed = False warned = False + if settings.CAS_FEDERATE: + username = None + ticket = None + INVALID_LOGIN_TICKET = 1 USER_LOGIN_OK = 2 USER_LOGIN_FAILURE = 3 @@ -307,7 +312,10 @@ class LoginView(View, LogoutMixin): ) self.user.save() elif ret == self.USER_LOGIN_FAILURE: # bad user login - self.ticket = None + if settings.CAS_FEDERATE: + self.ticket = None + self.usernalme = None + self.init_form() self.logout() elif ret == self.USER_ALREADY_LOGGED: pass @@ -353,8 +361,12 @@ class LoginView(View, LogoutMixin): self.ajax = 'HTTP_X_AJAX' in request.META self.warn = request.GET.get('warn') if settings.CAS_FEDERATE: - self.username = request.GET.get('username') - self.ticket = request.GET.get('ticket') + self.username = request.session.get("federate_username") + self.ticket = request.session.get("federate_ticket") + if self.username: + del request.session["federate_username"] + if self.ticket: + del request.session["federate_ticket"] def get(self, request, *args, **kwargs): """methode called on GET request on this view"""