Improve access control for saml
This commit is contained in:
Jens Langhammer
parent
a7eaa74191
commit
c313b496aa
|
|
@ -18,7 +18,7 @@
|
||||||
<input type="hidden" name="SAMLResponse" value="{{ saml_response }}" />
|
<input type="hidden" name="SAMLResponse" value="{{ saml_response }}" />
|
||||||
<div class="login-group">
|
<div class="login-group">
|
||||||
<h3>
|
<h3>
|
||||||
{% blocktrans with remote=remote.name %}
|
{% blocktrans with remote=remote.application.name %}
|
||||||
You're about to sign into {{ remote }}
|
You're about to sign into {{ remote }}
|
||||||
{% endblocktrans %}
|
{% endblocktrans %}
|
||||||
</h3>
|
</h3>
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,7 @@ from django.utils.decorators import method_decorator
|
||||||
from django.views import View
|
from django.views import View
|
||||||
from django.views.decorators.csrf import csrf_exempt
|
from django.views.decorators.csrf import csrf_exempt
|
||||||
from signxml.util import strip_pem_header
|
from signxml.util import strip_pem_header
|
||||||
|
from django.utils.translation import gettext as _
|
||||||
|
|
||||||
from passbook.audit.models import AuditEntry
|
from passbook.audit.models import AuditEntry
|
||||||
from passbook.core.models import Application
|
from passbook.core.models import Application
|
||||||
|
|
@ -110,8 +111,12 @@ class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
|
||||||
def get(self, request, application):
|
def get(self, request, application):
|
||||||
"""Handle get request, i.e. render form"""
|
"""Handle get request, i.e. render form"""
|
||||||
LOGGER.debug("Request: %s", request)
|
LOGGER.debug("Request: %s", request)
|
||||||
|
if not self._has_access():
|
||||||
|
return render(request, 'login/denied.html', {
|
||||||
|
'title': _("You don't have access to this application")
|
||||||
|
})
|
||||||
# Check if user has access
|
# Check if user has access
|
||||||
if self.provider.application.skip_authorization and self._has_access():
|
if self.provider.application.skip_authorization:
|
||||||
ctx = self.provider.processor.generate_response()
|
ctx = self.provider.processor.generate_response()
|
||||||
# Log Application Authorization
|
# Log Application Authorization
|
||||||
AuditEntry.create(
|
AuditEntry.create(
|
||||||
|
|
@ -133,8 +138,12 @@ class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
|
||||||
def post(self, request, application):
|
def post(self, request, application):
|
||||||
"""Handle post request, return back to ACS"""
|
"""Handle post request, return back to ACS"""
|
||||||
LOGGER.debug("Request: %s", request)
|
LOGGER.debug("Request: %s", request)
|
||||||
|
if not self._has_access():
|
||||||
|
return render(request, 'login/denied.html', {
|
||||||
|
'title': _("You don't have access to this application")
|
||||||
|
})
|
||||||
# Check if user has access
|
# Check if user has access
|
||||||
if request.POST.get('ACSUrl', None) and self._has_access():
|
if request.POST.get('ACSUrl', None):
|
||||||
# User accepted request
|
# User accepted request
|
||||||
AuditEntry.create(
|
AuditEntry.create(
|
||||||
action=AuditEntry.ACTION_AUTHORIZE_APPLICATION,
|
action=AuditEntry.ACTION_AUTHORIZE_APPLICATION,
|
||||||
|
|
|
||||||
Reference in New Issue