From 48055d1cfd6de28830bd436c530a4217ebf7dc57 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@haufe-lexware.com>
Date: Wed, 27 Feb 2019 11:20:52 +0100
Subject: [PATCH] fix CSRF Bug in SAML

---
 passbook/saml_idp/views.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/passbook/saml_idp/views.py b/passbook/saml_idp/views.py
index 20cf133a1..4999e28d9 100644
--- a/passbook/saml_idp/views.py
+++ b/passbook/saml_idp/views.py
@@ -5,6 +5,8 @@ from django.contrib.auth import logout
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.core.exceptions import ValidationError
 from django.core.validators import URLValidator
+from django.utils.decorators import method_decorator
+from django.views.decorators.csrf import csrf_exempt
 from django.http import HttpResponse, HttpResponseBadRequest
 from django.shortcuts import get_object_or_404, redirect, render, reverse
 from django.utils.datastructures import MultiValueDictKeyError
@@ -54,10 +56,11 @@ class ProviderMixin:
         return self._provider
 
 
-class LoginBeginView(CSRFExemptMixin, View):
+class LoginBeginView(View):
     """Receives a SAML 2.0 AuthnRequest from a Service Provider and
     stores it in the session prior to enforcing login."""
 
+    @method_decorator(csrf_exempt)
     def dispatch(self, request, application):
         if request.method == 'POST':
             source = request.POST
@@ -71,9 +74,9 @@ class LoginBeginView(CSRFExemptMixin, View):
             return HttpResponseBadRequest('the SAML request payload is missing')
 
         request.session['RelayState'] = source.get('RelayState', '')
-        return redirect(reverse('passbook_saml_idp:saml_login_process'), kwargs={
+        return redirect(reverse('passbook_saml_idp:saml_login_process', kwargs={
             'application': application
-        })
+        }))
 
 
 class RedirectToSPView(View):
@@ -99,7 +102,7 @@ class LoginProcessView(ProviderMixin, View):
         # Check if user has access
         access = True
         # TODO: Check access here
-        if self.provider.skip_authorization and access:
+        if self.provider.application.skip_authorization and access:
             ctx = self.provider.processor.generate_response()
             # TODO: AuditLog Skipped Authz
             return RedirectToSPView.as_view()(