Prevent escaping of logout message

This commit is contained in:
Aurélien Delobelle 2017-07-26 17:24:20 +02:00
parent 76fd5ca344
commit 7133ae65a6
2 changed files with 23 additions and 17 deletions

View file

@ -1,9 +1,11 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
from django.conf import settings
from django.contrib import messages
from django.contrib.auth.signals import user_logged_out from django.contrib.auth.signals import user_logged_out
from django.dispatch import receiver from django.dispatch import receiver
from django.template.loader import render_to_string
from django.utils.safestring import mark_safe from django.utils.safestring import mark_safe
from allauth.account.adapter import get_adapter
from allauth.account.utils import get_next_redirect_url from allauth.account.utils import get_next_redirect_url
from allauth.socialaccount import providers from allauth.socialaccount import providers
@ -14,7 +16,8 @@ from . import CAS_PROVIDER_SESSION_KEY
def cas_account_logout(sender, request, **kwargs): def cas_account_logout(sender, request, **kwargs):
provider_id = request.session.get(CAS_PROVIDER_SESSION_KEY) provider_id = request.session.get(CAS_PROVIDER_SESSION_KEY)
if not provider_id: if (not provider_id or
'django.contrib.messages' not in settings.INSTALLED_APPS):
return return
provider = providers.registry.by_id(provider_id, request) provider = providers.registry.by_id(provider_id, request)
@ -22,24 +25,26 @@ def cas_account_logout(sender, request, **kwargs):
if not provider.message_on_logout(request): if not provider.message_on_logout(request):
return return
adapter = get_adapter(request)
redirect_url = ( redirect_url = (
get_next_redirect_url(request) or get_next_redirect_url(request) or
adapter.get_logout_redirect_url(request) request.get_full_path()
) )
logout_kwargs = {'next': redirect_url} if redirect_url else {} logout_kwargs = {'next': redirect_url} if redirect_url else {}
logout_url = provider.get_logout_url(request, **logout_kwargs) logout_url = provider.get_logout_url(request, **logout_kwargs)
level = provider.message_on_logout_level(request)
logout_link = mark_safe('<a href="{}">link</a>'.format(logout_url)) logout_link = mark_safe('<a href="{}">link</a>'.format(logout_url))
adapter.add_message( level = provider.message_on_logout_level(request)
request, level,
message_template='cas_account/messages/logged_out.txt', # DefaultAccountAdapter.add_message from allauth.account.adapter is
message_context={ # unusable because HTML in message content is always escaped.
'logout_url': logout_url,
'logout_link': logout_link, template = 'cas_account/messages/logged_out.txt'
} context = {
) 'logout_url': logout_url,
'logout_link': logout_link,
}
message = mark_safe(render_to_string(template, context).strip())
messages.add_message(request, level, message)

View file

@ -29,8 +29,9 @@ def client_cas_login(client):
class LogoutFlowTests(TestCase): class LogoutFlowTests(TestCase):
expected_msg_str = ( expected_msg_str = (
"To logout of CAS, please close your browser, or visit this <a " "To logout of CAS, please close your browser, or visit this "
"href=\"/accounts/theid/logout/?next=%2F\">link</a>." "<a href=\"/accounts/theid/logout/?next=%2Faccounts%2Flogout%2F\">"
"link</a>."
) )
def setUp(self): def setUp(self):