From 9694ba61c4317a019a3fb3f2834dbb7ba3cb5774 Mon Sep 17 00:00:00 2001 From: Emmanuel Viennet Date: Wed, 13 Oct 2021 21:00:03 +0200 Subject: [PATCH] =?UTF-8?q?Evite=20les=20erreurs=20de=20formulaires=20POST?= =?UTF-8?q?=20quand=20l'utilisateur=20s'est=20d=C3=A9connect=C3=A9=20dans?= =?UTF-8?q?=20un=20autre=20onglet?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/auth/routes.py | 5 ++++- app/decorators.py | 17 ++++++++++++----- app/templates/auth/login.html | 5 +++++ 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/app/auth/routes.py b/app/auth/routes.py index 8f01a0c1..bf7272a7 100644 --- a/app/auth/routes.py +++ b/app/auth/routes.py @@ -46,7 +46,10 @@ def login(): if not next_page or url_parse(next_page).netloc != "": next_page = url_for("scodoc.index") return redirect(next_page) - return render_template("auth/login.html", title=_("Sign In"), form=form) + message = request.args.get("message", "") + return render_template( + "auth/login.html", title=_("Sign In"), form=form, message=message + ) @bp.route("/logout") diff --git a/app/decorators.py b/app/decorators.py index 65b89905..df67751a 100644 --- a/app/decorators.py +++ b/app/decorators.py @@ -10,12 +10,10 @@ import logging import werkzeug from werkzeug.exceptions import BadRequest import flask -from flask import g -from flask import abort, current_app -from flask import request +from flask import g, current_app, request +from flask import abort, url_for, redirect from flask_login import current_user from flask_login import login_required -from flask import current_app import flask_login import app @@ -52,6 +50,15 @@ def scodoc(func): @wraps(func) def scodoc_function(*args, **kwargs): + # interdit les POST si pas loggué + if request.method == "POST" and not current_user.is_authenticated: + current_app.logger.info("POST by non authenticated user") + return redirect( + url_for( + "auth.login", + message="La page a expiré. Identifiez-vous et recommencez l'opération", + ) + ) if "scodoc_dept" in kwargs: dept_acronym = kwargs["scodoc_dept"] # current_app.logger.info("setting dept to " + dept_acronym) @@ -81,7 +88,7 @@ def permission_required(permission): def permission_required_compat_scodoc7(permission): - """Décorateur pour les fonctions utilisée comme API dans ScoDoc 7 + """Décorateur pour les fonctions utilisées comme API dans ScoDoc 7 Comme @permission_required mais autorise de passer directement les informations d'auth en paramètres: __ac_name, __ac_password diff --git a/app/templates/auth/login.html b/app/templates/auth/login.html index 2685383d..d636e053 100644 --- a/app/templates/auth/login.html +++ b/app/templates/auth/login.html @@ -2,6 +2,11 @@ {% import 'bootstrap/wtf.html' as wtf %} {% block app_content %} + +{% if message %} + +{% endif %} +

Connexion