diff --git a/adminlte2_pdq/constants.py b/adminlte2_pdq/constants.py index 97f69caaea0cdffe9a87a11313dd9883e544260a..0ce52a2fcaf024074fee6801beaf87e16ca8b5d7 100644 --- a/adminlte2_pdq/constants.py +++ b/adminlte2_pdq/constants.py @@ -10,9 +10,12 @@ PWD_RESET_CONFIRM_ROUTE = getattr(settings, 'PWD_RESET_CONFIRM_ROUTE', 'password PWD_RESET_COMPLETE_ROUTE = getattr(settings, 'PWD_RESET_COMPLETE_ROUTE', 'password_reset_complete') REGISTER_ROUTE = getattr(settings, 'REGISTER_ROUTE', 'adminlte2_pdq:register') MEDIA_ROUTE = getattr(settings, 'MEDIA_URL', '/media/') +WEBSOCKET_ROUTE = getattr(settings, 'WEBSOCKET_URL', '/ws/') # Known routes that should never have a permission check done. HOME_ROUTE = getattr(settings, 'ADMINLTE2_HOME_ROUTE', 'adminlte2_pdq:home') +PWD_CHANGE = getattr(settings, 'PWD_CHANGE', 'password_change') +PWD_CHANGE_DONE = getattr(settings, 'PWD_CHANGE_DONE', 'password_change_done') # List of known routes that should never require being logged in. LOGIN_EXEMPT_WHITELIST = [ @@ -27,6 +30,8 @@ LOGIN_EXEMPT_WHITELIST = [ # List of known routes that should never require permissions to access. STRICT_POLICY_WHITELIST = [ HOME_ROUTE, + PWD_CHANGE, + PWD_CHANGE_DONE, ] + LOGIN_EXEMPT_WHITELIST # Add any user defined list of exempt urls to the constant. diff --git a/adminlte2_pdq/middleware.py b/adminlte2_pdq/middleware.py index 7655aa372dddd1a69fcb8d1aee247a3835575b3b..69eeb7bbb6f563e5461bb4fd1a3b23738fb8b553 100644 --- a/adminlte2_pdq/middleware.py +++ b/adminlte2_pdq/middleware.py @@ -17,6 +17,7 @@ from .constants import ( LOGIN_URL, HOME_ROUTE, MEDIA_ROUTE, + WEBSOCKET_ROUTE, ) class AuthMiddleware: @@ -88,6 +89,7 @@ class AuthMiddleware: or path in LOGIN_EXEMPT_WHITELIST or self.login_required_hook(request) or self.verify_media_route(path) + or self.verify_websocket_route(path) ) @@ -131,6 +133,7 @@ class AuthMiddleware: or path in STRICT_POLICY_WHITELIST or app_name == 'admin' or self.verify_media_route(path) + or self.verify_websocket_route(path) or self.verify_redirect_route(view_class) ): exempt = True @@ -178,6 +181,13 @@ class AuthMiddleware: return_val = path.startswith(MEDIA_ROUTE) return return_val + def verify_websocket_route(self, path): + """Verify that the path of the request is not a WEBSOCKET URL""" + return_val = False + if WEBSOCKET_ROUTE and WEBSOCKET_ROUTE != '/': + return_val = path.startswith(WEBSOCKET_ROUTE) + return return_val + def verify_redirect_route(self, view_class): """Verify that the view class is a RedirectView""" return view_class and view_class == RedirectView diff --git a/tests/test_middleware.py b/tests/test_middleware.py index cad6a4a5a657b10481fc7b28826b56b04a7c1c70..7554dbfe2a426a1607ce60a735131c2db4333b59 100644 --- a/tests/test_middleware.py +++ b/tests/test_middleware.py @@ -340,6 +340,18 @@ class MiddlewareTestCase(TestCase): self.assertEqual(response.status_code, 200) self.assertContains(response, "<h1>Demo CSS</h1>") + @patch('adminlte2_pdq.middleware.LOGIN_REQUIRED', True) + @patch('adminlte2_pdq.middleware.STRICT_POLICY', True) + @patch('adminlte2_pdq.middleware.WEBSOCKET_ROUTE', '/demo-css/') # Pretend the demo-css route is a websocket file. + def test_middleware_allows_when_websocket_url_defined_login_on_strict_on_login_wl_on_strict_wl_on(self): + """test_middleware_allows_when_websocket_url_defined_login_on_strict_on_login_wl_on_strict_wl_on""" + response = self.client.get( + reverse('adminlte2_pdq:demo-css'), + follow=True + ) + self.assertEqual(response.status_code, 200) + self.assertContains(response, "<h1>Demo CSS</h1>") + # ************************************************************************** # Logged In User - All Perms - Staff Status - Can see Admin page. # **************************************************************************