nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-02-04 08:13:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
FreedomBox/plinth/modules/users/urls.py
Sunil Mohan Adapa 895d8cffbc
sso: Adjust URL to CAPTCHA page needed by Django security fix 
Fixes: #2170.

Starting with Django 2.2.25, re_path behavior has changed. When the regular
expression ends with a '$', a full match is performed with the regular
expression. This breaks the behavior of how we are currently matching the locked
URLs for CAPTCHA based login forms.

Tests:

- All tests are done on Debian stable with Django 2.2.25 and on Debian unstable
with Django 3.2.10.

- Go to home page, click on login link. Enter wrong password three times.
CAPTCHA page is show with URL ending with /locked. Type the correct password and
login will be successful.

- Install tt-rss. Logout. Go to /tt-rss/, redirection will happen to login page.
Enter wrong password three times. CAPTCHA page is show with URL ending with
/locked. Type the correct password and login will be successful.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2022-01-16 10:15:32 -05:00

40 lines
1.6 KiB
Python
Raw Blame History

# SPDX-License-Identifier: AGPL-3.0-or-later
"""
URLs for the Users module
"""
from axes.decorators import axes_dispatch
from django.urls import re_path, reverse_lazy
from stronghold.decorators import public
from plinth.modules.sso.views import (CaptchaLoginView, SSOLoginView,
SSOLogoutView)
from plinth.utils import non_admin_view
from . import views
urlpatterns = [
re_path(r'^sys/users/$', views.UserList.as_view(), name='index'),
re_path(r'^sys/users/create/$', views.UserCreate.as_view(), name='create'),
re_path(r'^sys/users/(?P<slug>[\w.@+-]+)/edit/$',
non_admin_view(views.UserUpdate.as_view()), name='edit'),
re_path(r'^sys/users/(?P<slug>[\w.@+-]+)/delete/$',
views.UserDelete.as_view(), name='delete'),
re_path(r'^sys/users/(?P<slug>[\w.@+-]+)/change_password/$',
non_admin_view(views.UserChangePassword.as_view()),
name='change_password'),
# Authnz is handled by SSO
# XXX: Use axes authentication backend and middleware instead of
# axes_dispatch after axes 5.x becomes available in Debian stable.
re_path(r'^accounts/login/$',
public(axes_dispatch(SSOLoginView.as_view())), name='login'),
re_path(r'^accounts/logout/$', non_admin_view(SSOLogoutView.as_view()),
{'next_page': reverse_lazy('index')}, name='logout'),
re_path(r'^users/firstboot/$', public(views.FirstBootView.as_view()),
name='firstboot'),
re_path(r'accounts/login/locked/$', public(CaptchaLoginView.as_view()),
name='locked_out'),
]
Reference in New Issue View Git Blame Copy Permalink