fix: 修复第三方用户登录复核时，可以跳过的问题

2023-02-09 19:38:28 +08:00 · 2023-02-09 19:38:28 +08:00 · 48067415ef
parent b81416d973
commit 48067415ef
4 changed files with 14 additions and 3 deletions
--- a/apps/acls/serializers/login_acl.py
+++ b/apps/acls/serializers/login_acl.py
@ -22,7 +22,7 @@ class LoginACLSerializer(BulkModelSerializer):
    reviewers = ObjectRelatedField(
        queryset=User.objects, label=_("Reviewers"), many=True, required=False
    )
-    action = LabeledChoiceField(choices=LoginACL.ActionChoices.choices)
+    action = LabeledChoiceField(choices=LoginACL.ActionChoices.choices, label=_('Action'))
    reviewers_amount = serializers.IntegerField(
        read_only=True, source="reviewers.count", label=_("Reviewers amount")
    )
--- a/apps/authentication/api/login_confirm.py
+++ b/apps/authentication/api/login_confirm.py
@ -20,6 +20,7 @@ class TicketStatusApi(mixins.AuthMixin, APIView):
        try:
            self.check_user_login_confirm()
            self.request.session['auth_third_party_done'] = 1
+            self.request.session.pop('auth_third_party_required', '')
            return Response({"msg": "ok"})
        except errors.LoginConfirmOtherError as e:
            reason = e.msg
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@ -62,6 +62,17 @@ class ThirdPartyLoginMiddleware(mixins.AuthMixin):
            return response
        if not request.session.get('auth_third_party_required'):
            return response
+        white_urls = [
+            'jsi18n/', '/static/',
+            'login/guard', 'login/wait-confirm',
+            'login-confirm-ticket/status',
+            'settings/public/open',
+            'core/auth/login', 'core/auth/logout'
+        ]
+        for url in white_urls:
+            if request.path.find(url) > -1:
+                return response
+
        ip = get_request_ip(request)
        try:
            self.request = request
@ -89,7 +100,6 @@ class ThirdPartyLoginMiddleware(mixins.AuthMixin):
                guard_url = "%s?%s" % (guard_url, args)
            response = redirect(guard_url)
        finally:
-            request.session.pop('auth_third_party_required', '')
            return response


--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@ -369,7 +369,7 @@ class AuthACLMixin:
    def check_user_login_confirm(self):
        ticket = self.get_ticket()
        if not ticket:
-            raise errors.LoginConfirmOtherError('', "Not found")
+            raise errors.LoginConfirmOtherError('', "Not found", '')
        elif ticket.is_state(ticket.State.approved):
            self.request.session["auth_confirm_required"] = ''
            return