From 7133ae65a6aab8e63ae4fe35eee0f7198db10dfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Delobelle?= Date: Wed, 26 Jul 2017 17:24:20 +0200 Subject: [PATCH] Prevent escaping of logout message --- allauth_cas/signals.py | 35 ++++++++++++++++++++--------------- tests/test_flows.py | 5 +++-- 2 files changed, 23 insertions(+), 17 deletions(-) diff --git a/allauth_cas/signals.py b/allauth_cas/signals.py index 8b26023..208ee37 100644 --- a/allauth_cas/signals.py +++ b/allauth_cas/signals.py @@ -1,9 +1,11 @@ # -*- coding: utf-8 -*- +from django.conf import settings +from django.contrib import messages from django.contrib.auth.signals import user_logged_out from django.dispatch import receiver +from django.template.loader import render_to_string from django.utils.safestring import mark_safe -from allauth.account.adapter import get_adapter from allauth.account.utils import get_next_redirect_url from allauth.socialaccount import providers @@ -14,7 +16,8 @@ from . import CAS_PROVIDER_SESSION_KEY def cas_account_logout(sender, request, **kwargs): provider_id = request.session.get(CAS_PROVIDER_SESSION_KEY) - if not provider_id: + if (not provider_id or + 'django.contrib.messages' not in settings.INSTALLED_APPS): return provider = providers.registry.by_id(provider_id, request) @@ -22,24 +25,26 @@ def cas_account_logout(sender, request, **kwargs): if not provider.message_on_logout(request): return - adapter = get_adapter(request) - redirect_url = ( get_next_redirect_url(request) or - adapter.get_logout_redirect_url(request) + request.get_full_path() ) logout_kwargs = {'next': redirect_url} if redirect_url else {} logout_url = provider.get_logout_url(request, **logout_kwargs) - - level = provider.message_on_logout_level(request) logout_link = mark_safe('link'.format(logout_url)) - adapter.add_message( - request, level, - message_template='cas_account/messages/logged_out.txt', - message_context={ - 'logout_url': logout_url, - 'logout_link': logout_link, - } - ) + level = provider.message_on_logout_level(request) + + # DefaultAccountAdapter.add_message from allauth.account.adapter is + # unusable because HTML in message content is always escaped. + + template = 'cas_account/messages/logged_out.txt' + context = { + 'logout_url': logout_url, + 'logout_link': logout_link, + } + + message = mark_safe(render_to_string(template, context).strip()) + + messages.add_message(request, level, message) diff --git a/tests/test_flows.py b/tests/test_flows.py index 9feadfc..8a61c87 100644 --- a/tests/test_flows.py +++ b/tests/test_flows.py @@ -29,8 +29,9 @@ def client_cas_login(client): class LogoutFlowTests(TestCase): expected_msg_str = ( - "To logout of CAS, please close your browser, or visit this link." + "To logout of CAS, please close your browser, or visit this " + "" + "link." ) def setUp(self):