stages/user_write: don't update session hash after password change when impersonating

This commit is contained in:
Jens Langhammer 2020-10-18 22:58:05 +02:00
parent ff64182ae8
commit 1d85874f41
2 changed files with 4 additions and 1 deletions

View file

@ -18,9 +18,9 @@ from json import dumps
import structlog import structlog
from celery.schedules import crontab from celery.schedules import crontab
from sentry_sdk import init as sentry_init from sentry_sdk import init as sentry_init
from sentry_sdk.integrations.redis import RedisIntegration
from sentry_sdk.integrations.celery import CeleryIntegration from sentry_sdk.integrations.celery import CeleryIntegration
from sentry_sdk.integrations.django import DjangoIntegration from sentry_sdk.integrations.django import DjangoIntegration
from sentry_sdk.integrations.redis import RedisIntegration
from passbook import __version__ from passbook import __version__
from passbook.core.middleware import structlog_add_request_id from passbook.core.middleware import structlog_add_request_id

View file

@ -6,6 +6,7 @@ from django.http import HttpRequest, HttpResponse
from django.utils.translation import gettext as _ from django.utils.translation import gettext as _
from structlog import get_logger from structlog import get_logger
from passbook.core.middleware import SESSION_IMPERSONATE_USER
from passbook.core.models import User from passbook.core.models import User
from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
from passbook.flows.stage import StageView from passbook.flows.stage import StageView
@ -41,10 +42,12 @@ class UserWriteStageView(StageView):
user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
# Before we change anything, check if the user is the same as in the request # Before we change anything, check if the user is the same as in the request
# and we're updating a password. In that case we need to update the session hash # and we're updating a password. In that case we need to update the session hash
# Also check that we're not currently impersonating, so we don't update the session
should_update_seesion = False should_update_seesion = False
if ( if (
any(["password" in x for x in data.keys()]) any(["password" in x for x in data.keys()])
and self.request.user.pk == user.pk and self.request.user.pk == user.pk
and SESSION_IMPERSONATE_USER not in self.request.session
): ):
should_update_seesion = True should_update_seesion = True
for key, value in data.items(): for key, value in data.items():