[Fixes #7075] LOCKDOWN mode with custom login view (#7077)

GeoNode · Mar 12, 2021 · 296021e · 296021e
1 parent 312cdc6
commit 296021e
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 1 deletion.
diff --git a/geonode/security/middleware.py b/geonode/security/middleware.py
@@ -32,6 +32,12 @@
 
 from guardian.shortcuts import get_anonymous_user
 
+
+# make sure login_url can be mapped to redirection URL and will match request.path
+login_url = settings.LOGIN_URL.replace(settings.SITEURL.rstrip('/'), '')
+if not login_url.startswith('/'):
+    login_url = '/' + login_url
+
 if check_ogc_backend(geoserver.BACKEND_PACKAGE):
     white_list_paths = (
         reverse('account_login'),
@@ -44,6 +50,7 @@
         '/account/(?!.*(?:signup))',
         # block unauthenticated users from creating new accounts.
         '/static/*',
+        login_url,
     )
 else:
     white_list_paths = (
@@ -53,6 +60,7 @@
         '/account/(?!.*(?:signup))',
         # block unauthenticated users from creating new accounts.
         '/static/*',
+        login_url,
     )
 
 white_list = [compile(x) for x in white_list_paths + getattr(settings, "AUTH_EXEMPT_URLS", ())]
@@ -72,7 +80,7 @@ class LoginRequiredMiddleware(MiddlewareMixin):
     authentication_classes).
     """
 
-    redirect_to = getattr(settings, "LOGIN_URL", reverse("account_login"))
+    redirect_to = login_url
 
     def __init__(self, get_response):
         self.get_response = get_response

diff --git a/geonode/security/tests.py b/geonode/security/tests.py
@@ -24,6 +24,7 @@
 import base64
 import logging
 import gisdata
+import importlib
 import contextlib
 
 from urllib.request import urlopen, Request
@@ -33,6 +34,7 @@
 from django.http import HttpRequest
 from django.urls import reverse
 from django.contrib.auth import get_user_model
+from django.test.utils import override_settings
 
 from guardian.shortcuts import (
     get_anonymous_user,
@@ -204,6 +206,40 @@ def test_login_middleware_with_basic_auth(self):
             response,
             msg="Middleware activated for white listed path: {0}".format(black_listed_url))
 
+    @on_ogc_backend(geoserver.BACKEND_PACKAGE)
+    @dump_func_name
+    def test_login_middleware_with_custom_login_url(self):
+        """
+        Tests the Geonode login required authentication middleware with Basic authenticated queries
+        """
+
+        site_url_settings = [settings.SITEURL + "login/custom", "/login/custom", "login/custom"]
+        black_listed_url = reverse("maps_browse")
+
+        for setting in site_url_settings:
+            with override_settings(LOGIN_URL=setting):
+
+                from geonode.security import middleware as mw
+
+                # reload the middleware module to fetch overridden settings
+                importlib.reload(mw)
+                middleware = mw.LoginRequiredMiddleware(None)
+
+                # unauthorized request to black listed URL should be redirected to `redirect_to` URL
+                request = HttpRequest()
+                request.user = get_anonymous_user()
+                request.path = black_listed_url
+
+                response = middleware.process_request(request)
+
+                self.assertIsNotNone(response, "Middleware didn't activate for blacklisted URL.")
+                self.assertEqual(response.status_code, 302)
+                self.assertTrue(
+                    response.get("Location").startswith("/"),
+                    msg=f"Returned redirection should be a valid path starting '/'. "
+                        f"Instead got: {response.get('Location')}",
+                )
+
     @on_ogc_backend(geoserver.BACKEND_PACKAGE)
     @dump_func_name
     def test_session_ctrl_middleware(self):