From 8ecc45d674be9b5957fb2774c637cb8d86342343 Mon Sep 17 00:00:00 2001 From: Charles Connell Date: Mon, 3 Feb 2014 15:27:14 -0500 Subject: [PATCH] Redirect authenticated users to HTTPS pages --- .gitignore | 7 ++++- karmaworld/settings/common.py | 1 + karmaworld/settings/prod.py | 7 +++++ karmaworld/utils/SSLRedirect.py | 47 +++++++++++++++++++++++++++++++++ 4 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 karmaworld/utils/SSLRedirect.py diff --git a/.gitignore b/.gitignore index 0ff8afa..f227ced 100644 --- a/.gitignore +++ b/.gitignore @@ -63,4 +63,9 @@ karmaworld/secret/* .tags ## USDE accreditation school CSV -confs/accreditation.csv \ No newline at end of file +confs/accreditation.csv + +# Local SSL testing +runserver_ssl +stunnel + diff --git a/karmaworld/settings/common.py b/karmaworld/settings/common.py index dbf8be1..6a47f08 100644 --- a/karmaworld/settings/common.py +++ b/karmaworld/settings/common.py @@ -274,6 +274,7 @@ SOCIALACCOUNT_QUERY_EMAIL = True SOCIALACCOUNT_AUTO_SIGNUP = False ACCOUNT_USER_DISPLAY = 'karmaworld.apps.users.models.user_display_name' ACCOUNT_SIGNUP_FORM_CLASS = 'karmaworld.apps.users.forms.SignupForm' +ACCOUNT_DEFAULT_HTTP_PROTOCOL = 'https' AUTH_PROFILE_MODULE = 'users.UserProfile' diff --git a/karmaworld/settings/prod.py b/karmaworld/settings/prod.py index f80463a..4231ce2 100644 --- a/karmaworld/settings/prod.py +++ b/karmaworld/settings/prod.py @@ -141,6 +141,13 @@ AWS_HEADERS = { STATIC_URL = S3_URL ########## END STORAGE CONFIGURATION +########## MIDDLEWARE CONFIGURATION +# See: https://docs.djangoproject.com/en/dev/ref/settings/#middleware-classes +MIDDLEWARE_CLASSES += ( + # Use SSL when user is authenticated + 'karmaworld.utils.SSLRedirect.SSLRedirect', +) +########## END MIDDLEWARE CONFIGURATION ########## COMPRESSION CONFIGURATION # See: http://django_compressor.readthedocs.org/en/latest/settings/#django.conf.settings.COMPRESS_OFFLINE diff --git a/karmaworld/utils/SSLRedirect.py b/karmaworld/utils/SSLRedirect.py new file mode 100644 index 0000000..28cba2b --- /dev/null +++ b/karmaworld/utils/SSLRedirect.py @@ -0,0 +1,47 @@ +__license__ = "Python" +__copyright__ = "Copyright (C) 2007, Stephen Zabel" +__author__ = "Stephen Zabel - sjzabel@gmail.com" +__contributors__ = "Jay Parlar - parlar@gmail.com" + +from django.conf import settings +from django.http import HttpResponsePermanentRedirect +from django.contrib.sites.models import get_current_site + +SSL = 'SSL' + + +class SSLRedirect(object): + + def process_view(self, request, view_func, view_args, view_kwargs): + if SSL in view_kwargs: + secure = view_kwargs[SSL] + del view_kwargs[SSL] + else: + secure = False + + if request.user.is_authenticated(): + secure = True + + if not secure == self._is_secure(request): + return self._redirect(request, secure) + + def _is_secure(self, request): + if request.is_secure(): + return True + + #Handle the Webfaction case until this gets resolved in the request.is_secure() + if 'HTTP_X_FORWARDED_SSL' in request.META: + return request.META['HTTP_X_FORWARDED_SSL'] == 'on' + + return False + + def _redirect(self, request, secure): + protocol = secure and "https://" or "http://" + newurl = "%s%s%s" % (protocol, get_current_site(request).domain, request.get_full_path()) + if settings.DEBUG and request.method == 'POST': + raise RuntimeError, \ + """Django can't perform a SSL redirect while maintaining POST data. + Please structure your views so that redirects only occur during GETs.""" + + return HttpResponsePermanentRedirect(newurl) + -- 2.25.1