Use session to transmist username/ticket from fedeare view to login view

Hence, these parameter are not recorder in the user history, and thus the user username do not apear anymore in the history. This respect more the user privacy.
2016-06-22 12:46:18 +02:00 · 2016-06-22 12:46:18 +02:00 · d1c5ff4019
parent 8ddf06b82a
commit d1c5ff4019
2 changed files with 17 additions and 6 deletions
--- a/cas_server/federate.py
+++ b/cas_server/federate.py
@ -29,7 +29,6 @@ class CASFederateValidateUser(object):
                service_url=service_url,
                version=version,
                server_url=server_url,
-                extra_login_params={"provider": provider},
                renew=False,
            )

--- a/cas_server/views.py
+++ b/cas_server/views.py
@ -215,8 +215,9 @@ class FederateAuth(View):
        else:
            ticket = request.GET['ticket']
            if auth.verify_ticket(ticket):
-                params = utils.copy_params(request.GET)
-                params['username'] = "%s@%s" % (auth.username, auth.provider)
+                params = utils.copy_params(request.GET, ignore={"ticket"})
+                request.session["federate_username"] = "%s@%s" % (auth.username, auth.provider)
+                request.session["federate_ticket"] = ticket
                url = utils.reverse_params("cas_server:login", params)
                return HttpResponseRedirect(url)
            else:
@ -242,6 +243,10 @@ class LoginView(View, LogoutMixin):
    renewed = False
    warned = False

+    if settings.CAS_FEDERATE:
+        username = None
+        ticket = None
+
    INVALID_LOGIN_TICKET = 1
    USER_LOGIN_OK = 2
    USER_LOGIN_FAILURE = 3
@ -307,7 +312,10 @@ class LoginView(View, LogoutMixin):
                )
                self.user.save()
        elif ret == self.USER_LOGIN_FAILURE:  # bad user login
-            self.ticket = None
+            if settings.CAS_FEDERATE:
+                self.ticket = None
+                self.usernalme = None
+                self.init_form()
            self.logout()
        elif ret == self.USER_ALREADY_LOGGED:
            pass
@ -353,8 +361,12 @@ class LoginView(View, LogoutMixin):
        self.ajax = 'HTTP_X_AJAX' in request.META
        self.warn = request.GET.get('warn')
        if settings.CAS_FEDERATE:
-            self.username = request.GET.get('username')
-            self.ticket = request.GET.get('ticket')
+            self.username = request.session.get("federate_username")
+            self.ticket = request.session.get("federate_ticket")
+            if self.username:
+                del request.session["federate_username"]
+            if self.ticket:
+                del request.session["federate_ticket"]

    def get(self, request, *args, **kwargs):
        """methode called on GET request on this view"""