diff --git a/web/pgadmin/authenticate/__init__.py b/web/pgadmin/authenticate/__init__.py index cc7c6e8d2..32004f7a7 100644 --- a/web/pgadmin/authenticate/__init__.py +++ b/web/pgadmin/authenticate/__init__.py @@ -18,15 +18,15 @@ from flask import current_app, flash, Response, request, url_for, \ session, redirect, render_template from flask_babel import gettext from flask_security.views import _security, _ctx -from flask_security.utils import get_post_logout_redirect, logout_user,\ - config_value +from flask_security.utils import logout_user, config_value from flask_login import current_user from flask_socketio import disconnect, ConnectionRefusedError from pgadmin.model import db, User -from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect +from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect, \ + get_safe_post_logout_redirect from pgadmin.utils.constants import KERBEROS, INTERNAL, OAUTH2, LDAP,\ MessageType from pgadmin.authenticate.registry import AuthSourceRegistry @@ -135,7 +135,7 @@ def _login(): 'Administrator.'), MessageType.WARNING) logout_user() - return redirect(get_post_logout_redirect()) + return redirect(get_safe_post_logout_redirect()) # Validate the user if not auth_obj.validate(): @@ -161,7 +161,7 @@ def _login(): flash_login_attempt_error = None flash(error, MessageType.WARNING) - return redirect(get_post_logout_redirect()) + return redirect(get_safe_post_logout_redirect()) # Authenticate the user status, msg = auth_obj.authenticate() @@ -177,7 +177,7 @@ def _login(): 'authenticate.kerberos_login'), url_for('browser.index'))) flash(msg, MessageType.ERROR) - return redirect(get_post_logout_redirect()) + return redirect(get_safe_post_logout_redirect()) session['auth_source_manager'] = current_auth_obj diff --git a/web/pgadmin/authenticate/oauth2.py b/web/pgadmin/authenticate/oauth2.py index e3a8faac3..c74e0ac54 100644 --- a/web/pgadmin/authenticate/oauth2.py +++ b/web/pgadmin/authenticate/oauth2.py @@ -16,13 +16,14 @@ from flask import current_app, url_for, session, request,\ redirect, Flask, flash from flask_babel import gettext from flask_security import login_user, current_user -from flask_security.utils import get_post_logout_redirect, logout_user +from flask_security.utils import logout_user from pgadmin.authenticate.internal import BaseAuthentication from pgadmin.model import User from pgadmin.tools.user_management import create_user from pgadmin.utils.constants import OAUTH2, MessageType -from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect +from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect, \ + get_safe_post_logout_redirect from pgadmin.utils.csrf import pgCSRFProtect from pgadmin.model import db @@ -69,11 +70,11 @@ def init_app(app): @pgCSRFProtect.exempt def oauth_logout(): if not current_user.is_authenticated: - return redirect(get_post_logout_redirect()) + return redirect(get_safe_post_logout_redirect()) for key in list(session.keys()): session.pop(key) logout_user() - return redirect(get_post_logout_redirect()) + return redirect(get_safe_post_logout_redirect()) app.register_blueprint(blueprint) app.login_manager.logout_view = OAUTH2_LOGOUT diff --git a/web/pgadmin/utils/__init__.py b/web/pgadmin/utils/__init__.py index af2a29d89..0d27fee6b 100644 --- a/web/pgadmin/utils/__init__.py +++ b/web/pgadmin/utils/__init__.py @@ -17,7 +17,8 @@ from operator import attrgetter from flask import Blueprint, current_app, url_for from flask_babel import gettext from flask_security import current_user, login_required -from flask_security.utils import get_post_login_redirect +from flask_security.utils import get_post_login_redirect, \ + get_post_logout_redirect from threading import Lock from .paths import get_storage_directory @@ -898,3 +899,16 @@ def get_safe_post_login_redirect(): return url return url_for('browser.index') + + +def get_safe_post_logout_redirect(): + allow_list = [ + url_for('security.login') + ] + if "SCRIPT_NAME" in os.environ and os.environ["SCRIPT_NAME"]: + allow_list.append(os.environ["SCRIPT_NAME"]) + url = get_post_logout_redirect() + for item in allow_list: + if url.startswith(item): + return url + return url_for('security.login')