External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-27 07:56:06 -03:30
Code Issues Packages Projects Releases Wiki Activity

make current_user ck secure and httponly

Browse Source
This commit is contained in:
adamscmRH
2018-11-20 10:13:53 -05:00
parent d7a28dcea4
commit 05d988349c
3 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
awx/api/generics.py
View File

@@ -92,8 +92,7 @@ class LoggedLoginView(auth_views.LoginView):
current_user = UserSerializer(self.request.user) current_user = UserSerializer(self.request.user)
current_user = JSONRenderer().render(current_user.data) current_user = JSONRenderer().render(current_user.data)
current_user = urllib.quote('%s' % current_user, '') current_user = urllib.quote('%s' % current_user, '')
ret.set_cookie('current_user', current_user) ret.set_cookie('current_user', current_user, secure=settings.SESSION_COOKIE_SECURE or None)
return ret return ret
else: else:
ret.status_code = 401 ret.status_code = 401

3
awx/sso/views.py
View File

@@ -13,6 +13,7 @@ from django.views.generic.base import RedirectView
from django.utils.encoding import smart_text from django.utils.encoding import smart_text
from awx.api.serializers import UserSerializer from awx.api.serializers import UserSerializer
from rest_framework.renderers import JSONRenderer from rest_framework.renderers import JSONRenderer
from django.conf import settings
logger = logging.getLogger('awx.sso.views') logger = logging.getLogger('awx.sso.views')
@@ -45,7 +46,7 @@ class CompleteView(BaseRedirectView):
current_user = UserSerializer(self.request.user) current_user = UserSerializer(self.request.user)
current_user = JSONRenderer().render(current_user.data) current_user = JSONRenderer().render(current_user.data)
current_user = urllib.quote('%s' % current_user, '') current_user = urllib.quote('%s' % current_user, '')
response.set_cookie('current_user', current_user) response.set_cookie('current_user', current_user, secure=settings.SESSION_COOKIE_SECURE or None)
return response return response

10
awx/ui/client/src/login/authenticationServices/authentication.service.js
View File

@@ -16,9 +16,9 @@
export default export default
['$http', '$rootScope', '$cookies', 'GetBasePath', 'Store', '$q', ['$http', '$rootScope', '$cookies', 'GetBasePath', 'Store', '$q',
'$injector', '$injector', '$location',
function ($http, $rootScope, $cookies, GetBasePath, Store, $q, function ($http, $rootScope, $cookies, GetBasePath, Store, $q,
$injector) { $injector, $location) {
return { return {
setToken: function (token, expires) { setToken: function (token, expires) {
$cookies.remove('token_expires'); $cookies.remove('token_expires');
@@ -147,7 +147,11 @@ export default
setUserInfo: function (response) { setUserInfo: function (response) {
// store the response values in $rootScope so we can get to them later // store the response values in $rootScope so we can get to them later
$rootScope.current_user = response.results[0]; $rootScope.current_user = response.results[0];
$cookies.putObject('current_user', response.results[0]); //keep in session cookie in the event of browser refresh if ($location.protocol() === 'https') {
$cookies.putObject('current_user', response.results[0], {secure: true}); //keep in session cookie in the event of browser refresh
} else {
$cookies.putObject('current_user', response.results[0], {secure: false});
}
}, },
restoreUserInfo: function () { restoreUserInfo: function () {