shaba/awx
1
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2024-11-01 16:51:11 +03:00
Code Releases Activity

Merge pull request #2758 from rooftopcellist/secure_current_user

Browse Source 
make current_user ck secure and httponly
This commit is contained in:
Christian Adams 2018-11-21 15:26:35 -05:00 committed by GitHub
commit d310c48988
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
awx/api/generics.py
View File

@ -92,8 +92,7 @@ class LoggedLoginView(auth_views.LoginView):
current_user = UserSerializer(self.request.user)
current_user = JSONRenderer().render(current_user.data)
current_user = urllib.quote('%s' % current_user, '')
ret.set_cookie('current_user', current_user)
ret.set_cookie('current_user', current_user, secure=settings.SESSION_COOKIE_SECURE or None)
return ret
else:
ret.status_code = 401

3
awx/sso/views.py
View File

@ -13,6 +13,7 @@ from django.views.generic.base import RedirectView
from django.utils.encoding import smart_text
from awx.api.serializers import UserSerializer
from rest_framework.renderers import JSONRenderer
from django.conf import settings
logger = logging.getLogger('awx.sso.views')
@ -45,7 +46,7 @@ class CompleteView(BaseRedirectView):
current_user = UserSerializer(self.request.user)
current_user = JSONRenderer().render(current_user.data)
current_user = urllib.quote('%s' % current_user, '')
response.set_cookie('current_user', current_user)
response.set_cookie('current_user', current_user, secure=settings.SESSION_COOKIE_SECURE or None)
return response

10
awx/ui/client/src/login/authenticationServices/authentication.service.js
View File

@ -16,9 +16,9 @@
export default
['$http', '$rootScope', '$cookies', 'GetBasePath', 'Store', '$q',
'$injector',
'$injector', '$location',
function ($http, $rootScope, $cookies, GetBasePath, Store, $q,
$injector) {
$injector, $location) {
return {
setToken: function (token, expires) {
$cookies.remove('token_expires');
@ -147,7 +147,11 @@ export default
setUserInfo: function (response) {
// store the response values in $rootScope so we can get to them later
$rootScope.current_user = response.results[0];
$cookies.putObject('current_user', response.results[0]); //keep in session cookie in the event of browser refresh
if ($location.protocol() === 'https') {
$cookies.putObject('current_user', response.results[0], {secure: true}); //keep in session cookie in the event of browser refresh
} else {
$cookies.putObject('current_user', response.results[0], {secure: false});
}
},
restoreUserInfo: function () {