Canonicalise the 'me' parameter better, so if I just enter the bare domain it'll work fine
This commit is contained in:
parent
0adc7a0d5e
commit
ac22c826cb
1 changed files with 12 additions and 10 deletions
|
@ -16,14 +16,14 @@ breadcrumbs.add('lemonauth:indie', parent='home:index')
|
||||||
|
|
||||||
|
|
||||||
def canonical(url):
|
def canonical(url):
|
||||||
(scheme, loc, path, params, q, fragment) = urlparse(url)
|
if '//' not in url:
|
||||||
|
url = '//' + url
|
||||||
|
(scheme, netloc, path, params, query, fragment) = urlparse(url)
|
||||||
|
if not scheme or scheme == 'http':
|
||||||
|
scheme = 'https'
|
||||||
if not path:
|
if not path:
|
||||||
path = '/'
|
path = '/'
|
||||||
if not loc:
|
return urlunparse((scheme, netloc, path, params, query, fragment))
|
||||||
loc, path = path, ''
|
|
||||||
if not scheme:
|
|
||||||
scheme = 'https'
|
|
||||||
return urlunparse((scheme, loc, path, params, q, fragment))
|
|
||||||
|
|
||||||
|
|
||||||
@method_decorator(csrf_exempt, name='dispatch')
|
@method_decorator(csrf_exempt, name='dispatch')
|
||||||
|
@ -44,9 +44,11 @@ class IndieView(TemplateView):
|
||||||
)
|
)
|
||||||
|
|
||||||
me = request.user.full_url
|
me = request.user.full_url
|
||||||
if 'me' in params and me != canonical(params['me']):
|
if 'me' in params:
|
||||||
|
param_me = canonical(params['me'])
|
||||||
|
if me != param_me:
|
||||||
return utils.forbid(
|
return utils.forbid(
|
||||||
'you are logged in but not as {0}'.format(me)
|
'you are logged in as {}, not as {}'.format(me, param_me)
|
||||||
)
|
)
|
||||||
|
|
||||||
redirect_uri = urljoin(params['client_id'], params['redirect_uri'])
|
redirect_uri = urljoin(params['client_id'], params['redirect_uri'])
|
||||||
|
|
Loading…
Reference in a new issue