Prevent escaping of logout message

2017-07-26 17:24:20 +02:00 · 2017-07-26 17:24:20 +02:00 · 7133ae65a6
commit 7133ae65a6
parent 76fd5ca344
2 changed files with 23 additions and 17 deletions
--- a/allauth_cas/signals.py
+++ b/allauth_cas/signals.py
@ -1,9 +1,11 @@
 # -*- coding: utf-8 -*-
+from django.conf import settings
+from django.contrib import messages
 from django.contrib.auth.signals import user_logged_out
 from django.dispatch import receiver
+from django.template.loader import render_to_string
 from django.utils.safestring import mark_safe

-from allauth.account.adapter import get_adapter
 from allauth.account.utils import get_next_redirect_url
 from allauth.socialaccount import providers

@ -14,7 +16,8 @@ from . import CAS_PROVIDER_SESSION_KEY
 def cas_account_logout(sender, request, **kwargs):
    provider_id = request.session.get(CAS_PROVIDER_SESSION_KEY)

-    if not provider_id:
+    if (not provider_id or
+            'django.contrib.messages' not in settings.INSTALLED_APPS):
        return

    provider = providers.registry.by_id(provider_id, request)
@ -22,24 +25,26 @@ def cas_account_logout(sender, request, **kwargs):
    if not provider.message_on_logout(request):
        return

-    adapter = get_adapter(request)
-
    redirect_url = (
        get_next_redirect_url(request) or
-        adapter.get_logout_redirect_url(request)
+        request.get_full_path()
    )

    logout_kwargs = {'next': redirect_url} if redirect_url else {}
    logout_url = provider.get_logout_url(request, **logout_kwargs)
-
-    level = provider.message_on_logout_level(request)
    logout_link = mark_safe('<a href="{}">link</a>'.format(logout_url))

-    adapter.add_message(
-        request, level,
-        message_template='cas_account/messages/logged_out.txt',
-        message_context={
-            'logout_url': logout_url,
-            'logout_link': logout_link,
-        }
-    )
+    level = provider.message_on_logout_level(request)
+
+    # DefaultAccountAdapter.add_message from allauth.account.adapter is
+    # unusable because HTML in message content is always escaped.
+
+    template = 'cas_account/messages/logged_out.txt'
+    context = {
+        'logout_url': logout_url,
+        'logout_link': logout_link,
+    }
+
+    message = mark_safe(render_to_string(template, context).strip())
+
+    messages.add_message(request, level, message)
--- a/tests/test_flows.py
+++ b/tests/test_flows.py
@ -29,8 +29,9 @@ def client_cas_login(client):

 class LogoutFlowTests(TestCase):
    expected_msg_str = (
-        "To logout of CAS, please close your browser, or visit this <a "
-        "href=\"/accounts/theid/logout/?next=%2F\">link</a>."
+        "To logout of CAS, please close your browser, or visit this "
+        "<a href=\"/accounts/theid/logout/?next=%2Faccounts%2Flogout%2F\">"
+        "link</a>."
    )

    def setUp(self):