From e2e21f4afa5e88c082193152fe0dd4075cfa78c3 Mon Sep 17 00:00:00 2001 From: Danielle McLean Date: Fri, 27 Oct 2017 22:03:25 +1100 Subject: [PATCH] Make sure IndieAuth is agnostic to whether the 'me' parameter has a trailing slash or not --- lemonauth/views/indie.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/lemonauth/views/indie.py b/lemonauth/views/indie.py index 3bef4a5..e7a7e5d 100644 --- a/lemonauth/views/indie.py +++ b/lemonauth/views/indie.py @@ -5,7 +5,8 @@ from django.http import HttpResponseForbidden, HttpResponseBadRequest from django.shortcuts import render from django.utils.decorators import method_decorator from django.views.generic import TemplateView -from lemoncurry import breadcrumbs +from lemoncurry import breadcrumbs, utils +from urllib.parse import urljoin breadcrumbs.add('lemonauth:indie', label='indieauth', parent='home:index') @@ -25,12 +26,12 @@ class IndieView(TemplateView): ) me = params['me'] - user = '{0}://{1}{2}'.format( - request.scheme, - request.META['HTTP_HOST'], - request.user.url - ) - if me != user: + if me[-1] == '/': + me = me[:-1] + + origin = utils.origin(request) + user = urljoin(origin, request.user.url) + if user not in (me, me + '/'): return HttpResponseForbidden( 'you are logged in but not as {0}'.format(me), content_type='text/plain',