feat: confirm access decorator
DESCRIPTION Some views are privileged and unauthorized execution can have irreversible changes. confirm_access decorator checks if the user's session is verified for privileged operation execution. If not, it will redirect user to "accounts.sudo" vie" vie" vie" viewwip-payments
parent
1e7d45d53b
commit
2ccf3d9679
|
@ -0,0 +1,24 @@
|
||||||
|
# Copyright © 2022 Aravinth Manivannan <realaravinth@batsense.net>
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU Affero General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 3 of the
|
||||||
|
# License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU Affero General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU Affero General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
from .utils import ConfirmAccess
|
||||||
|
|
||||||
|
|
||||||
|
def confirm_access(function):
|
||||||
|
def wrap(request, *args, **kwargs):
|
||||||
|
return ConfirmAccess.validate_decorator(
|
||||||
|
request=request, fn=function, *args, **kwargs
|
||||||
|
)
|
||||||
|
|
||||||
|
return wrap
|
|
@ -12,8 +12,14 @@
|
||||||
#
|
#
|
||||||
# You should have received a copy of the GNU Affero General Public License
|
# You should have received a copy of the GNU Affero General Public License
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
from datetime import datetime, timezone
|
||||||
|
|
||||||
from django.utils.crypto import get_random_string
|
from django.utils.crypto import get_random_string
|
||||||
from django.core.mail import send_mail
|
from django.core.mail import send_mail
|
||||||
|
from django.shortcuts import redirect
|
||||||
|
from django.urls import reverse
|
||||||
|
from django.utils.http import urlencode
|
||||||
|
from django.conf import settings
|
||||||
|
|
||||||
|
|
||||||
def gen_secret() -> str:
|
def gen_secret() -> str:
|
||||||
|
@ -36,3 +42,43 @@ def send_verification_email(request, challenge):
|
||||||
from_email="No reply Hostea<ro-reply@exampl.org>", # TODO read from settings.py
|
from_email="No reply Hostea<ro-reply@exampl.org>", # TODO read from settings.py
|
||||||
recipient_list=[email],
|
recipient_list=[email],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
EPOCH = datetime.utcfromtimestamp(0).astimezone(tz=timezone.utc)
|
||||||
|
|
||||||
|
|
||||||
|
def since_epoch(date: datetime = None) -> int:
|
||||||
|
"""Get current time since Unix epoch in seconds"""
|
||||||
|
if not date:
|
||||||
|
date = datetime.now(timezone.utc)
|
||||||
|
date.astimezone(tz=timezone.utc)
|
||||||
|
return int((date - EPOCH).total_seconds())
|
||||||
|
|
||||||
|
|
||||||
|
class ConfirmAccess:
|
||||||
|
key = "confirm_access"
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def redirect_to_sudo(request):
|
||||||
|
ctx = {"next": request.path}
|
||||||
|
return redirect(f"{reverse('accounts.sudo')}?{urlencode(ctx)}")
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def is_valid(cls, request):
|
||||||
|
if cls.key in request.session:
|
||||||
|
if (since_epoch() - request.session[cls.key]) < settings.HOSTEA["ACCOUNTS"][
|
||||||
|
"SUDO_TTL"
|
||||||
|
]:
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def validate_decorator(cls, request, fn, *args, **kwargs):
|
||||||
|
if cls.is_valid(request):
|
||||||
|
return fn(request, *args, **kwargs)
|
||||||
|
else:
|
||||||
|
return cls.redirect_to_sudo(request)
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def set(cls, request):
|
||||||
|
request.session[cls.key] = since_epoch()
|
||||||
|
|
Loading…
Reference in New Issue