pgadmin-org
/
pgadmin4
mirror of https://github.com/pgadmin-org/pgadmin4.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ensure user is redirected to login page after failed login. #6704

pull/6725/head
Yogesh Mahajan 2023-08-25 10:38:50 +05:30 committed by GitHub
parent e8283173ba
commit cd613ded0a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 26 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
web/pgadmin/authenticate/__init__.py
View File

@ -18,15 +18,15 @@ from flask import current_app, flash, Response, request, url_for, \
session, redirect, render_template session, redirect, render_template
from flask_babel import gettext from flask_babel import gettext
from flask_security.views import _security, _ctx from flask_security.views import _security, _ctx
from flask_security.utils import get_post_logout_redirect, logout_user,\ from flask_security.utils import logout_user, config_value
config_value
from flask_login import current_user from flask_login import current_user
from flask_socketio import disconnect, ConnectionRefusedError from flask_socketio import disconnect, ConnectionRefusedError
from pgadmin.model import db, User from pgadmin.model import db, User
from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect, \
get_safe_post_logout_redirect
from pgadmin.utils.constants import KERBEROS, INTERNAL, OAUTH2, LDAP,\ from pgadmin.utils.constants import KERBEROS, INTERNAL, OAUTH2, LDAP,\
MessageType MessageType
from pgadmin.authenticate.registry import AuthSourceRegistry from pgadmin.authenticate.registry import AuthSourceRegistry
@ -135,7 +135,7 @@ def _login():
'Administrator.'), 'Administrator.'),
MessageType.WARNING) MessageType.WARNING)
logout_user() logout_user()
return redirect(get_post_logout_redirect()) return redirect(get_safe_post_logout_redirect())
# Validate the user # Validate the user
if not auth_obj.validate(): if not auth_obj.validate():
@ -161,7 +161,7 @@ def _login():
flash_login_attempt_error = None flash_login_attempt_error = None
flash(error, MessageType.WARNING) flash(error, MessageType.WARNING)
return redirect(get_post_logout_redirect()) return redirect(get_safe_post_logout_redirect())
# Authenticate the user # Authenticate the user
status, msg = auth_obj.authenticate() status, msg = auth_obj.authenticate()
@ -177,7 +177,7 @@ def _login():
'authenticate.kerberos_login'), url_for('browser.index'))) 'authenticate.kerberos_login'), url_for('browser.index')))
flash(msg, MessageType.ERROR) flash(msg, MessageType.ERROR)
return redirect(get_post_logout_redirect()) return redirect(get_safe_post_logout_redirect())
session['auth_source_manager'] = current_auth_obj session['auth_source_manager'] = current_auth_obj

9
web/pgadmin/authenticate/oauth2.py
View File

@ -16,13 +16,14 @@ from flask import current_app, url_for, session, request,\
redirect, Flask, flash redirect, Flask, flash
from flask_babel import gettext from flask_babel import gettext
from flask_security import login_user, current_user from flask_security import login_user, current_user
from flask_security.utils import get_post_logout_redirect, logout_user from flask_security.utils import logout_user
from pgadmin.authenticate.internal import BaseAuthentication from pgadmin.authenticate.internal import BaseAuthentication
from pgadmin.model import User from pgadmin.model import User
from pgadmin.tools.user_management import create_user from pgadmin.tools.user_management import create_user
from pgadmin.utils.constants import OAUTH2, MessageType from pgadmin.utils.constants import OAUTH2, MessageType
from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect, \
get_safe_post_logout_redirect
from pgadmin.utils.csrf import pgCSRFProtect from pgadmin.utils.csrf import pgCSRFProtect
from pgadmin.model import db from pgadmin.model import db
@ -69,11 +70,11 @@ def init_app(app):
@pgCSRFProtect.exempt @pgCSRFProtect.exempt
def oauth_logout(): def oauth_logout():
if not current_user.is_authenticated: if not current_user.is_authenticated:
return redirect(get_post_logout_redirect()) return redirect(get_safe_post_logout_redirect())
for key in list(session.keys()): for key in list(session.keys()):
session.pop(key) session.pop(key)
logout_user() logout_user()
return redirect(get_post_logout_redirect()) return redirect(get_safe_post_logout_redirect())
app.register_blueprint(blueprint) app.register_blueprint(blueprint)
app.login_manager.logout_view = OAUTH2_LOGOUT app.login_manager.logout_view = OAUTH2_LOGOUT

16
web/pgadmin/utils/__init__.py
View File

@ -17,7 +17,8 @@ from operator import attrgetter
from flask import Blueprint, current_app, url_for from flask import Blueprint, current_app, url_for
from flask_babel import gettext from flask_babel import gettext
from flask_security import current_user, login_required from flask_security import current_user, login_required
from flask_security.utils import get_post_login_redirect from flask_security.utils import get_post_login_redirect, \
get_post_logout_redirect
from threading import Lock from threading import Lock
from .paths import get_storage_directory from .paths import get_storage_directory
@ -898,3 +899,16 @@ def get_safe_post_login_redirect():
return url return url
return url_for('browser.index') return url_for('browser.index')
def get_safe_post_logout_redirect():
allow_list = [
url_for('security.login')
]
if "SCRIPT_NAME" in os.environ and os.environ["SCRIPT_NAME"]:
allow_list.append(os.environ["SCRIPT_NAME"])
url = get_post_logout_redirect()
for item in allow_list:
if url.startswith(item):
return url
return url_for('security.login')