def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponseRedirect:
username = request.POST.get('username')
password = request.POST.get('password')
user = authenticate(username=username, password=password)
if user is None:
messages.error(request, _('No user account matches the entered credentials.'))
return redirect('common:login')
if not user.is_active:
messages.error(request, _('User account is deactivated.'))
return redirect('common:login')
login(request, user)
url = urllib.parse.unquote(request.GET.get('next', ''))
if url and is_safe_url(url, request.get_host()):
return redirect(url)
return redirect('/')
python类is_safe_url()的实例源码
def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponseRedirect:
username = request.POST.get('username')
password = request.POST.get('password')
user = authenticate(username=username, password=password)
if user is None:
messages.error(request, _('No user account matches the entered credentials.'))
return redirect('backoffice:login')
if not user.is_active:
messages.error(request, _('User account is deactivated.'))
return redirect('backoffice:login')
if not is_backoffice_user(user):
messages.error(request, _('User does not have permission to access backoffice data.'))
return redirect('backoffice:login')
login(request, user)
url = request.GET.get('next')
if url and is_safe_url(url, request.get_host()):
return redirect(url)
return redirect('backoffice:main')
def get_next_page(self):
if self.next_page is not None:
next_page = resolve_url(self.next_page)
elif settings.LOGOUT_REDIRECT_URL:
next_page = resolve_url(settings.LOGOUT_REDIRECT_URL)
else:
next_page = self.next_page
if (self.redirect_field_name in self.request.POST or
self.redirect_field_name in self.request.GET):
next_page = self.request.POST.get(
self.redirect_field_name,
self.request.GET.get(self.redirect_field_name)
)
url_is_safe = is_safe_url(
url=next_page,
allowed_hosts=self.get_success_url_allowed_hosts(),
require_https=self.request.is_secure(),
)
# Security check -- Ensure the user-originating redirection URL is
# safe.
if not url_is_safe:
next_page = self.request.path
return next_page
def get_next_page(self):
if self.next_page is not None:
next_page = resolve_url(self.next_page)
elif settings.LOGOUT_REDIRECT_URL:
next_page = resolve_url(settings.LOGOUT_REDIRECT_URL)
else:
next_page = self.next_page
if (self.redirect_field_name in self.request.POST or
self.redirect_field_name in self.request.GET):
next_page = self.request.POST.get(
self.redirect_field_name,
self.request.GET.get(self.redirect_field_name)
)
url_is_safe = is_safe_url(
url=next_page,
allowed_hosts=self.get_success_url_allowed_hosts(),
require_https=self.request.is_secure(),
)
# Security check -- Ensure the user-originating redirection URL is
# safe.
if not url_is_safe:
next_page = self.request.path
return next_page
def user_login(request):
"""
View for logging users in.
"""
redirect_to = request.POST.get(REDIRECT_FIELD_NAME, request.GET.get(REDIRECT_FIELD_NAME, ''))
login_form = AuthenticationForm(request, data=request.POST)
if login_form.is_valid():
# Ensure the user-originating redirection url is safe.
if not is_safe_url(url=REDIRECT_FIELD_NAME, host=request.get_host()):
redirect_to = settings.LOGIN_REDIRECT_URL
# Okay, security check complete. Log the user in.
auth_login(request, login_form.get_user())
return redirect(settings.LOGIN_REDIRECT_URL if redirect_to == '' else redirect_to)
else:
return render(request, 'index.html', {'login_form': login_form, 'display': 'block', 'active': 'login'})
def get(self, request, *args, **kwargs):
url = request.GET.get('next', request.META.get('HTTP_REFERER', '/'))
url = url if is_safe_url(url, host=request.get_host()) else '/'
resp = HttpResponseRedirect(url)
locale = request.GET.get('locale')
if locale in [lc for lc, ll in settings.LANGUAGES]:
if request.user.is_authenticated:
request.user.locale = locale
request.user.save()
max_age = 10 * 365 * 24 * 60 * 60
resp.set_cookie(settings.LANGUAGE_COOKIE_NAME, locale, max_age=max_age,
expires=(datetime.utcnow() + timedelta(seconds=max_age)).strftime(
'%a, %d-%b-%Y %H:%M:%S GMT'),
domain=settings.SESSION_COOKIE_DOMAIN)
with override(locale):
messages.success(request, phrases.cfp.locale_change_success)
return resp
def setlang(request):
"""
Sets a user's language preference and redirects to a given URL or, by default, back to the previous page.
"""
next = request.REQUEST.get('next')
if not is_safe_url(url=next, host=request.get_host()):
next = request.META.get('HTTP_REFERER')
if not is_safe_url(url=next, host=request.get_host()):
next = '/'
response = redirect(next)
lang_code = request.REQUEST.get('language', None)
if lang_code and check_for_language(lang_code):
if hasattr(request, 'session'):
request.session[LANGUAGE_SESSION_KEY] = lang_code
else:
response.set_cookie(settings.LANGUAGE_COOKIE_NAME, lang_code,
max_age=settings.LANGUAGE_COOKIE_AGE,
path=settings.LANGUAGE_COOKIE_PATH,
domain=settings.LANGUAGE_COOKIE_DOMAIN)
return response
def get_next_page(self):
if self.next_page is not None:
next_page = resolve_url(self.next_page)
elif settings.LOGOUT_REDIRECT_URL:
next_page = resolve_url(settings.LOGOUT_REDIRECT_URL)
else:
next_page = self.next_page
if (self.redirect_field_name in self.request.POST or
self.redirect_field_name in self.request.GET):
next_page = self.request.POST.get(
self.redirect_field_name,
self.request.GET.get(self.redirect_field_name)
)
url_is_safe = is_safe_url(
url=next_page,
allowed_hosts=self.get_success_url_allowed_hosts(),
require_https=self.request.is_secure(),
)
# Security check -- Ensure the user-originating redirection URL is
# safe.
if not url_is_safe:
next_page = self.request.path
return next_page
def logout(request):
"""
Logout a user by removing all cookies that don't have the magic string
'persistent', and redirect to settings.LOGOUT_REDIRECT.
"""
next_param = request.GET.get('next', None)
next_url = (next_param
if next_param and is_safe_url(next_param)
else getattr(settings, 'LOGOUT_REDIRECT', None))
response = (redirect(next_url)
if next_url
else render(request, 'idbase/logout.html'))
logger.debug('Logging out {}@washington.edu and redirecting to {}'.format(
request.uwnetid, next_url))
# delete all cookies that don't contain the string 'persistent'
delete_keys = [key for key in request.COOKIES
if not re.search(r'persistent', key, re.IGNORECASE)]
for key in delete_keys:
response.delete_cookie(key)
return response
def get_next_page(self):
if self.next_page is not None:
next_page = resolve_url(self.next_page)
elif settings.LOGOUT_REDIRECT_URL:
next_page = resolve_url(settings.LOGOUT_REDIRECT_URL)
else:
next_page = self.next_page
if (self.redirect_field_name in self.request.POST or
self.redirect_field_name in self.request.GET):
next_page = self.request.POST.get(
self.redirect_field_name,
self.request.GET.get(self.redirect_field_name)
)
url_is_safe = is_safe_url(
url=next_page,
allowed_hosts=self.get_success_url_allowed_hosts(),
require_https=self.request.is_secure(),
)
# Security check -- Ensure the user-originating redirection URL is
# safe.
if not url_is_safe:
next_page = self.request.path
return next_page
def form_valid(self, form):
"""
This method is executed when submitted form is valid.
It redirects to ``success_url`` if no ``next`` url is provided.
Otherwise it redirects to ``next`` url.
:param form: ``forms.Form`` instance
:return: ``HttpResponse`` instance
"""
redirect_to = self.request.POST.get('next', '')
auth.login(self.request, form.user_cache)
# check if next is a valid url
if not is_safe_url(redirect_to, self.request.get_host()):
return super(WebmailLoginView, self).form_valid(form)
else:
return redirect(redirect_to)
def get_next_url(request, redirect_field_name):
"""Retrieves next url from request
Note: This verifies that the url is safe before returning it. If the url
is not safe, this returns None.
:arg HttpRequest request: the http request
:arg str redirect_field_name: the name of the field holding the next url
:returns: safe url or None
"""
next_url = request.GET.get(redirect_field_name)
if next_url:
kwargs = {
'url': next_url,
'host': request.get_host()
}
# NOTE(willkg): Django 1.11+ allows us to require https, too.
if django.VERSION >= (1, 11):
kwargs['require_https'] = request.is_secure()
is_safe = is_safe_url(**kwargs)
if is_safe:
return next_url
return None
def login(request, redirect_field_name=REDIRECT_FIELD_NAME, authentication_form=AuthenticationForm):
redirect_to = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name, ''))
if request.method == "POST":
if request.POST.has_key('login'):
form = authentication_form(request, data=request.POST)
if form.is_valid():
if form.get_user() and form.get_user().is_active:
# Ensure the user-originating redirection url is safe.
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = resolve_url(djsettings.LOGIN_REDIRECT_URL)
auth_login(request, form.get_user())
Message.objects.create(type=u'????', user=request.user, action=u'????',
action_ip=UserIP(request), content='???? %s'%request.user)
return HttpResponseRedirect(redirect_to)
else:
Message.objects.create(type=u'????', user=request.POST.get('username'), action=u'????',
action_ip=UserIP(request), content=u'?????? %s'%request.POST.get('username'))
else:
form = authentication_form(request)
return render(request, 'registration/login.html', {'form':form, 'title':'????'})
def logout(request, next_page=None, redirect_field_name=REDIRECT_FIELD_NAME):
"""
Logs out the user and displays 'You are logged out' message.
"""
Message.objects.create(type=u'????', user=request.user, action=u'????', action_ip=UserIP(request),
content='???? %s' % request.user)
auth_logout(request)
if next_page is not None:
next_page = resolve_url(next_page)
if (redirect_field_name in request.POST or
redirect_field_name in request.GET):
next_page = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name))
# Security check -- don't allow redirection to a different host.
if not is_safe_url(url=next_page, host=request.get_host()):
next_page = request.path
if next_page:
# Redirect to this page until the session has been cleared.
return HttpResponseRedirect(next_page)
return HttpResponseRedirect('/')
def next_redirect(request, fallback, **get_kwargs):
"""
Handle the "where should I go next?" part of comment views.
The next value could be a
``?next=...`` GET arg or the URL of a given view (``fallback``). See
the view modules for examples.
Returns an ``HttpResponseRedirect``.
"""
next = request.POST.get('next')
if not is_safe_url(url=next, host=request.get_host()):
next = resolve_url(fallback)
if get_kwargs:
if '#' in next:
tmp = next.rsplit('#', 1)
next = tmp[0]
anchor = '#' + tmp[1]
else:
anchor = ''
joiner = '&' if '?' in next else '?'
next += joiner + urlencode(get_kwargs) + anchor
return HttpResponseRedirect(next)
def get_redirect_url(self, *args, **kwargs):
client = OAuth2Session(
client_id=settings.OAUTH['client_id'],
redirect_uri=settings.OAUTH['redirect_domain'] + reverse('oauth_return_view'),
scope=['view_profile'],
)
# extract next url
next_url = self.request.GET.get('next', None)
# save it to the session
if next_url and is_safe_url(next_url):
self.request.session['login_next_url'] = next_url
# the user is then redirected to the auth provider with the right parameters
url, state = client.authorization_url(settings.OAUTH['authorization_url'])
# the nonce is saved inside the session
self.request.session['oauth2_nonce'] = state
return url
def get_next_page(self):
if self.next_page is not None:
next_page = resolve_url(self.next_page)
elif settings.LOGOUT_REDIRECT_URL:
next_page = resolve_url(settings.LOGOUT_REDIRECT_URL)
else:
next_page = self.next_page
if (self.redirect_field_name in self.request.POST or
self.redirect_field_name in self.request.GET):
next_page = self.request.POST.get(
self.redirect_field_name,
self.request.GET.get(self.redirect_field_name)
)
url_is_safe = is_safe_url(
url=next_page,
allowed_hosts=self.get_success_url_allowed_hosts(),
require_https=self.request.is_secure(),
)
# Security check -- Ensure the user-originating redirection URL is
# safe.
if not url_is_safe:
next_page = self.request.path
return next_page
def logout(request):
auth_logout(request)
if 'next' in request.POST or 'next' in request.GET:
next_page = request.POST.get('next', request.GET.get('next'))
if not is_safe_url(url=next_page, host=request.get_host()):
return HttpResponseRedirect(request.path)
else:
return HttpResponseRedirect(next_page)
current_site = get_current_site(request)
context = {
'site': current_site,
'site_name': current_site.name,
'title': 'Logged out'
}
return TemplateResponse(request, 'logout.html', context)
def post(self, request):
form = LoginForm(request, data=request.POST)
if form.is_valid():
# Determine where to direct user after successful login
redirect_to = request.POST.get('next', '')
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = reverse('home')
# Authenticate user
auth_login(request, form.get_user())
messages.info(request, "Logged in as {}.".format(request.user))
return HttpResponseRedirect(redirect_to)
return render(request, self.template_name, {
'form': form,
})
def set_lang(request):
""" django.views.i18n.set_language() with GET """
next = request.GET.get('next', request.GET.get('next'))
if not is_safe_url(url=next, host=request.get_host()):
next = request.META.get('HTTP_REFERER')
if not is_safe_url(url=next, host=request.get_host()):
next = '/'
response = http.HttpResponseRedirect(next)
lang_code = request.GET.get('lang', None)
if lang_code and check_for_language(lang_code):
if hasattr(request, 'session'):
request.session[LANGUAGE_SESSION_KEY] = lang_code
else:
response.set_cookie(settings.LANGUAGE_COOKIE_NAME, lang_code,
max_age=settings.LANGUAGE_COOKIE_AGE,
path=settings.LANGUAGE_COOKIE_PATH,
domain=settings.LANGUAGE_COOKIE_DOMAIN)
return response
views_misc.py 文件源码
项目:money-to-prisoners-send-money
作者: ministryofjustice
项目源码
文件源码
阅读 22
收藏 0
点赞 0
评论 0
def help_view(request, page='payment-issues'):
"""
FAQ sections
@param request: the HTTP request
@param page: page slug
"""
context = {
'breadcrumbs_back': settings.START_PAGE_URL,
}
return_to = request.META.get('HTTP_REFERER') or ''
return_to_within_site = is_safe_url(url=return_to, host=request.get_host())
return_to_same_page = return_to.split('?')[0] == request.build_absolute_uri().split('?')[0]
if page != 'payment-issues' and return_to_within_site and not return_to_same_page:
context['breadcrumbs_back'] = return_to
response = render(request, 'send_money/help/%s.html' % page, context=context)
return make_response_cacheable(response)
def get_next_page(self):
if self.next_page is not None:
next_page = resolve_url(self.next_page)
elif settings.LOGOUT_REDIRECT_URL:
next_page = resolve_url(settings.LOGOUT_REDIRECT_URL)
else:
next_page = self.next_page
if (self.redirect_field_name in self.request.POST or
self.redirect_field_name in self.request.GET):
next_page = self.request.POST.get(
self.redirect_field_name,
self.request.GET.get(self.redirect_field_name)
)
url_is_safe = is_safe_url(
url=next_page,
allowed_hosts=self.get_success_url_allowed_hosts(),
require_https=self.request.is_secure(),
)
# Security check -- Ensure the user-originating redirection URL is
# safe.
if not url_is_safe:
next_page = self.request.path
return next_page
def post(self, request):
form = self.form_class(data=request.POST)
# NOTE: authenticate is already called internally in form.clean
if form.is_valid():
username_or_email = request.POST['username']
password = request.POST['password']
# NOTE: authenticate is already called internally in form.clean so there is no need to verify the result
user = authenticate(username=username_or_email, password=password)
login(request, user)
request.session[translation.LANGUAGE_SESSION_KEY] = user.language
redirect_to = request.POST.get('next', request.GET.get('next', reverse('landing_page:home')))
redirect_to = (redirect_to
if is_safe_url(redirect_to, request.get_host())
else reverse('landing_page:home'))
if redirect_to == "":
return HttpResponseRedirect(reverse("landing_page:home"))
else:
return HttpResponseRedirect(redirect_to)
return render(request, 'registration/login.html', {'form': form})
def login(request, template_name='registration/login.html',
redirect_field_name=REDIRECT_FIELD_NAME,
authentication_form=AuthenticationForm,
extra_context=None):
"""
Displays the login form and handles the login action.
"""
redirect_to = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name, ''))
if request.method == "POST":
form = authentication_form(request, data=request.POST)
if form.is_valid():
# Ensure the user-originating redirection url is safe.
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = resolve_url(settings.LOGIN_REDIRECT_URL)
# Okay, security check complete. Log the user in.
auth_login(request, form.get_user())
return HttpResponseRedirect(redirect_to)
else:
form = authentication_form(request)
current_site = get_current_site(request)
context = {
'form': form,
redirect_field_name: redirect_to,
'site': current_site,
'site_name': current_site.name,
}
if extra_context is not None:
context.update(extra_context)
return TemplateResponse(request, template_name, context)
def logout(request, next_page=None,
template_name='registration/logged_out.html',
redirect_field_name=REDIRECT_FIELD_NAME,
extra_context=None):
"""
Logs out the user and displays 'You are logged out' message.
"""
auth_logout(request)
if next_page is not None:
next_page = resolve_url(next_page)
if (redirect_field_name in request.POST or
redirect_field_name in request.GET):
next_page = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name))
# Security check -- don't allow redirection to a different host.
if not is_safe_url(url=next_page, host=request.get_host()):
next_page = request.path
if next_page:
# Redirect to this page until the session has been cleared.
return HttpResponseRedirect(next_page)
current_site = get_current_site(request)
context = {
'site': current_site,
'site_name': current_site.name,
'title': _('Logged out')
}
if extra_context is not None:
context.update(extra_context)
return TemplateResponse(request, template_name, context)
def set_language(request):
"""
Redirect to a given url while setting the chosen language in the
session or cookie. The url and the language code need to be
specified in the request parameters.
Since this view changes how the user will see the rest of the site, it must
only be accessed as a POST request. If called as a GET request, it will
redirect to the page in the request (the 'next' parameter) without changing
any state.
"""
next = request.POST.get('next', request.GET.get('next'))
if not is_safe_url(url=next, host=request.get_host()):
next = request.META.get('HTTP_REFERER')
if not is_safe_url(url=next, host=request.get_host()):
next = '/'
response = http.HttpResponseRedirect(next)
if request.method == 'POST':
lang_code = request.POST.get(LANGUAGE_QUERY_PARAMETER)
if lang_code and check_for_language(lang_code):
next_trans = translate_url(next, lang_code)
if next_trans != next:
response = http.HttpResponseRedirect(next_trans)
if hasattr(request, 'session'):
request.session[LANGUAGE_SESSION_KEY] = lang_code
else:
response.set_cookie(settings.LANGUAGE_COOKIE_NAME, lang_code,
max_age=settings.LANGUAGE_COOKIE_AGE,
path=settings.LANGUAGE_COOKIE_PATH,
domain=settings.LANGUAGE_COOKIE_DOMAIN)
return response
def _get_login_redirect_url(request, redirect_to):
# Ensure the user-originating redirection URL is safe.
if not is_safe_url(url=redirect_to, host=request.get_host()):
return resolve_url(settings.LOGIN_REDIRECT_URL)
return redirect_to
def logout(request, next_page=None,
template_name='registration/logged_out.html',
redirect_field_name=REDIRECT_FIELD_NAME,
extra_context=None):
"""
Logs out the user and displays 'You are logged out' message.
"""
auth_logout(request)
if next_page is not None:
next_page = resolve_url(next_page)
elif settings.LOGOUT_REDIRECT_URL:
next_page = resolve_url(settings.LOGOUT_REDIRECT_URL)
if (redirect_field_name in request.POST or
redirect_field_name in request.GET):
next_page = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name))
# Security check -- don't allow redirection to a different host.
if not is_safe_url(url=next_page, host=request.get_host()):
next_page = request.path
if next_page:
# Redirect to this page until the session has been cleared.
return HttpResponseRedirect(next_page)
current_site = get_current_site(request)
context = {
'site': current_site,
'site_name': current_site.name,
'title': _('Logged out')
}
if extra_context is not None:
context.update(extra_context)
return TemplateResponse(request, template_name, context)
def _login_redirect_url(request, fallback_to=None):
redirect_to = request.POST.get('next', request.GET.get('next', ''))
if not redirect_to or not is_safe_url(url=redirect_to, host=request.get_host()):
return fallback_to or django_settings.LOGIN_REDIRECT_URL
return redirect_to
def get_success_url(self):
"""Ensure the user-originating redirection URL is safe."""
redirect_to = self.request.POST.get(
self.redirect_field_name,
self.request.GET.get(self.redirect_field_name, '')
)
url_is_safe = is_safe_url(
url=redirect_to,
allowed_hosts=self.get_success_url_allowed_hosts(),
require_https=self.request.is_secure(),
)
if not url_is_safe:
return resolve_url(settings.LOGIN_REDIRECT_URL)
return redirect_to