Fix non-CAS users case

'service' instead of 'url'

kfet/auth/tests.py

@@ -166,10 +166,19 @@ class GenericLoginViewTests(TestCase):
         self.client.login(username="team", password="team")
 
         r = self.client.post(self.url)
-
-        self.assertRedirects(
-            r, "/logout?next={}".format(self.url), fetch_redirect_response=False
-        )
+        profile = getattr(self.user, "profile", None)
+        if profile and profile.login_clipper:
+            self.assertRedirects(
+                r,
+                "https://cas.eleves.ens.fr/logout?service={}".format(self.url),
+                fetch_redirect_response=False,
+            )
+        else:
+            self.assertRedirects(
+                r,
+                "/logout?next=http%3A%2F%2Ftestserver{}".format(self.url),
+                fetch_redirect_response=False,
+            )
 
     def test_notoken_not_team(self):
         """

kfet/auth/views.py

@@ -1,3 +1,4 @@
+from django.conf import settings as django_settings
 from django.contrib import messages
 from django.contrib.auth import authenticate, login
 from django.contrib.auth.decorators import permission_required
@@ -42,7 +43,7 @@ class GenericLoginView(View):
 
             if request.method == "POST":
                 # Step 1: set token and logout user.
-                return self.prepare_auth()
+                return self.prepare_auth(request)
             else:
                 # GET request should not change server/client states. Send a
                 # confirmation template to emit a POST request.
@@ -61,22 +62,36 @@ class GenericLoginView(View):
             # Step 2: validate token.
             return self.validate_auth(token)
 
-    def prepare_auth(self):
+    def prepare_auth(self, request):
         # Issue token.
         token = GenericTeamToken.objects.create_token()
 
-        # Prepare callback of logout.
-        here_url = reverse(login_generic)
-        if "next" in self.request.GET:
-            # Keep given next page.
-            here_qd = QueryDict(mutable=True)
-            here_qd["next"] = self.request.GET["next"]
-            here_url += "?{}".format(here_qd.urlencode())
+        # When CAS logs the user out, the generic login has to be called back.
+        # The corresponding callback URL is provided as a GET parameter.
+        # The renaming of the CAS logout "url" parameter to "service" is being forced,
+        # which is why the CAS logout URL with callback is constructed ad hoc,
+        # without relying on Django redirection to Django CAS.
 
-        logout_url = reverse("cof-logout")
-        logout_qd = QueryDict(mutable=True)
-        logout_qd["next"] = here_url
-        logout_url += "?{}".format(logout_qd.urlencode(safe="/"))
+        here_url = request.build_absolute_uri()  # preserves next parameter
+        profile = getattr(request.user, "profile", None)
+
+        if profile and profile.login_clipper:
+            generic_login_url = here_url
+            generic_login_qd = QueryDict(mutable=True)
+            generic_login_qd["service"] = generic_login_url
+
+            cas_server_url = django_settings.CAS_SERVER_URL
+            cas_logout_url = cas_server_url + "logout"
+            cas_callback_url = cas_logout_url + "?{}".format(
+                generic_login_qd.urlencode()
+            )
+
+            logout_url = cas_callback_url
+        else:
+            logout_url = reverse("cof-logout")
+            logout_qd = QueryDict(mutable=True)
+            logout_qd["next"] = here_url
+            logout_url += "?{}".format(logout_qd.urlencode(safe="/"))
 
         resp = redirect(logout_url)
         resp.set_signed_cookie(self.TOKEN_COOKIE_NAME, token.token, httponly=True)