Improve access control for saml

2019-03-08 21:30:16 +01:00 · 2019-03-08 21:30:16 +01:00 · c313b496aa
parent a7eaa74191
commit c313b496aa
2 changed files with 12 additions and 3 deletions
--- a/passbook/saml_idp/templates/saml/idp/login.html
+++ b/passbook/saml_idp/templates/saml/idp/login.html
@ -18,7 +18,7 @@
    <input type="hidden" name="SAMLResponse" value="{{ saml_response }}" />
    <div class="login-group">
        <h3>
-            {% blocktrans with remote=remote.name %}
+            {% blocktrans with remote=remote.application.name %}
            You're about to sign into {{ remote }}
            {% endblocktrans %}
        </h3>
--- a/passbook/saml_idp/views.py
+++ b/passbook/saml_idp/views.py
@ -12,6 +12,7 @@ from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from signxml.util import strip_pem_header
+from django.utils.translation import gettext as _

 from passbook.audit.models import AuditEntry
 from passbook.core.models import Application
@ -110,8 +111,12 @@ class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
    def get(self, request, application):
        """Handle get request, i.e. render form"""
        LOGGER.debug("Request: %s", request)
+        if not self._has_access():
+            return render(request, 'login/denied.html', {
+                'title': _("You don't have access to this application")
+            })
        # Check if user has access
-        if self.provider.application.skip_authorization and self._has_access():
+        if self.provider.application.skip_authorization:
            ctx = self.provider.processor.generate_response()
            # Log Application Authorization
            AuditEntry.create(
@ -133,8 +138,12 @@ class LoginProcessView(ProviderMixin, LoginRequiredMixin, View):
    def post(self, request, application):
        """Handle post request, return back to ACS"""
        LOGGER.debug("Request: %s", request)
+        if not self._has_access():
+            return render(request, 'login/denied.html', {
+                'title': _("You don't have access to this application")
+            })
        # Check if user has access
-        if request.POST.get('ACSUrl', None) and self._has_access():
+        if request.POST.get('ACSUrl', None):
            # User accepted request
            AuditEntry.create(
                action=AuditEntry.ACTION_AUTHORIZE_APPLICATION,